NEWS: MS appoints chief security strategist

[Jeffrey A. Setaro]

MICROSOFT APPOINTS CHIEF SECURITY STRATEGIST

Posted February 01, 2002 02:39 Pacific Time

SINGAPORE -- MICROSOFT Corp. has appointed Scott
Charney as chief security strategist with the task of
developing strategies to enhance the security of
Microsoft products, services and infrastructure, the
company announced in a statement Thursday.

Charney will start work at Microsoft on April 1 after
leaving his current post as a principal at
PricewaterhouseCoopers LLP (PwC)'s Cybercrime
Prevention and
Response Practice, according to the statement.

For the full story:
<http://www.infoworld.com/articles/hn/xml/02/02/01/020201hnstrategist.xm
l?0201fram>

--
Cheers-

Jeff Setaro
jase...@sprynet.com
http://home.sprynet.com/~jasetaro/
PGP Key IDs DH/DSS: 0x5D41429D RSA: 0x599D2A99

[Sugien]

"Jeffrey A. Setaro" <jase...@sprynet.com> wrote in message
news:MPG.16c4d6ae7...@nntp.sprynet.com...

Well lets hope that because he is starting on April fools day that the
public isn't the one that gets fooled

--
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
https://www.paypal.com/refer/pal=dinosoft%40adelphia.net
Click the above for a fast , and easy way to send money on line

[m...@tadyatam.invalid]

SURPRISE SETTLEMENT EVENLY SPLITS MICROSOFT;
ONE FIRM TO MAKE SOFTWARE, OTHER TO MAKE PATCHES
Redmond, Wash. - In a surprise settlement today with nine U.S.
states, Microsoft agreed to be split into two independent
companies - one that will continue to make Microsoft operating
systems, browsers, and server software, and another, potentially
larger company that will make patches for Microsoft operating
systems, browsers, and server software.

with thanks to Cartoonist Lennie Peterson

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

[[PaX]]

>>>>SURPRISE SETTLEMENT EVENLY SPLITS MICROSOFT;
ONE FIRM TO MAKE SOFTWARE, OTHER TO MAKE PATCHES
Redmond, Wash. - In a surprise settlement today with nine U.S.
states, Microsoft agreed to be split into two independent
companies - one that will continue to make Microsoft operating
systems, browsers, and server software, and another, potentially
larger company that will make patches for Microsoft operating
systems, browsers, and server software.<<<<<<

Bewhahahahahahhaha EXCELLENT!!
rgrds Dalt

[gun...@his.house.org]

In article <MPG.16c4d6ae7...@nntp.sprynet.com>,
jase...@sprynet.com says...

> MICROSOFT APPOINTS CHIEF SECURITY STRATEGIST
>

[..snip...]

I think it interesting to note that they're announcing
a "strategist" instead of a team of code experts.
Strategists are hired to figure out what to do,
which I thought should have been obvious....fix
the freaking bugs, and build security in from the
ground up in new products.

Damn...when do _I_ get a title with "Chief" in it?
Those are the guys who get rich if they succeed,
and if they fail, they get paid-off to leave early.
Sweet deal, if ya ask me.

Gunther

[m...@tadyatam.invalid]

Indeed. Disturbing yet for another reason -- "strategist" could
be a euphemism for "spinmaister" (or PR man). Continue do the
same @#$% under a new 'n improved "mission statement."

--J
Replies to: jNpolak(at)Ojuno(dot)Tcom

[Wessel]

<m...@tadyatam.invalid> schreef in bericht
news:3C5B3E87...@tadyatam.invalid...

Actually I hope they mean someone who can hold the (strategic) designers
within bounds. A lot of bugs or security risks where originally designed as
features without thoroughly thinking about the scope or the impact ,overall
of the product.
The dsigners seem to think too narrowly in the scope they design something,
for without realising the consequences for forinstance net access. Or they,
erroneously assume that everybody will behaven in the way they envision it
( i.e passport use) and things work unforseen when users don't do that.

I think a manager on top where design features are discussed is welcome if
he has the right to veto where security issues are not fully adressed.

grtz Wessel
> --J
> Replies to: jNpolak(at)Ojuno(dot)Tcom

[Nick FitzGerald]

<m...@tadyatam.invalid> wrote:

> Indeed. Disturbing yet for another reason -- "strategist" could

> be a euphemism for "spinmaister" (or PR man). ...

Couldn't agree more -- this was also pretty much my first reaction.

> ... Continue do the

> same @#$% under a new 'n improved "mission statement."

Yep.

And who *is* Scott Charney? Has anyone ever heard of him before?

According to the press release he is currently "principal at

PricewaterhouseCoopers LLP (PwC)'s Cybercrime Prevention and Response

Practice".

Excuse me for being unimpressed, but WTF does PWC do in the "Cybercrime
Prevention and Response" business? Have I missed some earth-shattering
news that featured PWC's Cybercrime Prevention and Response Practice in
some major computer security development?

Reading the whole of the InfoWorld article linked in the message that
started this thread, we see that Charney was "chief of the Computer
Crime and Intellectual Property Section (CCIPS), Criminal Division, at
the U.S. Department of Justice, from 1991 to 1999". A lawyer?

Going beyond the InfoWorld article to other news sources, you quickly
learn that, apart from being an unknown cybercrime prevention and
response consultant, Charney is a well-qualified lawyer and before the
CCIPS job was assistant DA in New York where he made a name for himself
as a "cybercrime expert" by dint of being the person who successfully
prosecuted members of the "Masters of Doom".

Of the small-ish number of articles on this that I've looked up over
the last few days, the one I liked best is this:

http://www.computerworld.com/storyba/0,4125,NAV47_STO67871,00.html?OpenDocument&~f

Reading between the lines just a little, I think that rather clearly
spells out that this is entirely a polictical appointment. Worse, it
is a political appointment of someone not sufficiently technical to
actually have a chance of changing things inside MS for the better.
I think the long-term (hidden agenda) goal of his appointment will be
to inculcate him in MS' sloppy development practices and then have him
convince the politicians (and judiciary should that fail) that large,
complex software cannot be made and shipped secure (in an economically
feasible way -- and the US economy needs Microsoft, right?) and that
the real problem is not the corporate leeches making shitty software
but the nasty hackers (aka "cyber criminals") who, instead of
participating in productive employment and use of their skills,
encourage the death of the global capitalist system by attacking the
leading example of all that is good about that system (and anyway,
they're clearly communist scum because most of them support that evil,
no-good open source software movement...).

Of course, I could be wrong, but one has to wonder what useful
perspective a lawyer, whose main focus has been catching teenage "cyber
criminals", can have **that is likely to bring the necessary technical
and procedural changes inside Microsoft**. I think Alan Paller's
comments on this are way wide of the mark -- MS developers do know the
real impact of their sloppiness. The "problem" is that they just do
not give a shit because they get paid anyway (and get huge bonuses for
shipping on schedule or ahead of time) and do so regardless of the
quality of the code. No amount of political persuasion is going to
change that. Link code blocks to specific employees (both code cutters
*and* the managers that sign-off on the code) and make *retaining*
vesting rights in MS share bonuses dependent on that code not having to
be revised for *inherent* security problems (that is, problems in that
code, whether found by later internal audit or by external "hacking")
within the vesting period. Make "severe enough" changes to such code
that are not discovered until after such a sanction runs out impact the
programmers' and managers' bonus entitlement for the current year. Then
encourage the coders to take responsiblity for their own code -- if they
find and fix an old error before it is found by others, then they are
absolved of "blame" for it, even if MS doesn't ship the fix before a
problem associated with that code fault is reported. That might improve
things at MS, right? I still don't see where having credibility on
Capitol Hill impacts the likely success of such a move...

And what's with the talk about him being a "communicator", a "people
person"?? If even 10% of the stories are to be believed, Microsoft's
development practices got to where they are today by ball-breaking,
desktop-slapping, foot-stomping, shouting and screaming tactics from
people like current CEO Steve Ballmer and various other (now mostly
former) product managers and senior executives. Maybe the best thing MS
could do to improve the security of its products is fire a few of those
people and put managers who understand that quality takes time, and that
KISS and "do it once, do it right" type pricip[als actually pay off in
the longer run. Maybe MS could not afford to do that when it was trying
to beat IBM's OS/2 to the corporate desktop and when it was trying to
oust Sun, HP, Digital, etc out of the server room, but now we have had
enough years of "the MS way" two things should be very apparent -- the
quality of what MS gave sucks big time *and* MS has the freaking money
to afford anything...

Maybe I am too cynical, but it seems unlikely that someone who got his
current "credibility" by locking up people who took advantage of sloppy
software development practices is the right person to get those
practices "fixed". Right or wrong, it certainly is ironic -- had those
sloppy practices not been there in the first place, Charney may not have
had a reputation vaguely in-line to allow him to be considered for his
new job of getting those sloppy practices fixed!

I just read parts of the InfoWorld and ComputerWorld articles again and
can't help but be impressed Charney's appoinment means MS really did not
want someone who would change things inside MS. Most of the strongly
positive commentary is about Charney's prosecutorial abilities and the
fact he set up prosecutorial processes for cybercrime and intellectual
property issues. If he had a background in suing software makers for
making unfit, insecure and otherwise faulty products he might have been
the right person...

--
Nick FitzGerald

[gun...@his.house.org]

In article <3c5c...@clear.net.nz>, ni...@virus-l.demon.co.uk says...

>
> Couldn't agree more -- this was also pretty much my first reaction.
>
> > ... Continue do the
> > same @#$% under a new 'n improved "mission statement."
>
> Yep.
>
> And who *is* Scott Charney? Has anyone ever heard of him before?
>

[...]

> the real problem is not the corporate leeches making shitty software

Well writ, Master Nick.
Gunther

[Ron & Ree]

> I just read parts of the InfoWorld and ComputerWorld articles again and
> can't help but be impressed Charney's appoinment means MS really did not
> want someone who would change things inside MS. Most of the strongly
> positive commentary is about Charney's prosecutorial abilities and the
> fact he set up prosecutorial processes for cybercrime and intellectual
> property issues. If he had a background in suing software makers for
> making unfit, insecure and otherwise faulty products he might have been
> the right person...
> --
> Nick FitzGerald
>

Isn't part of the new 'trustworthy' program to suppress knowledge of their
programs faults?
Who better than an Attorney to go after people 'attacking' their software.

Ron Williams

[Nick FitzGerald]

<gun...@his.house.org> wrote:

> Well writ, Master Nick.

You're welcome.

If you, or others, enjoyed that, I suspect you'll like today's coverage
of this from El Reg...

http://www.theregister.co.uk/content/55/23912.html

--
Nick FitzGerald