Feeds

Charney an ominous MS pick

Not good -- not at all good

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

At the Blackhat Security Briefings in New Orleans last week my standard opening question in conversation was, "So, what do you think about Scott Charney?"

For the most part, the standard response was, "Who's that?"

If you have not heard yet, Microsoft has announced that Mr. Charney, previously a security and cybercrime specialist at Price Waterhouse Coopers, has been named to fill the newly-minted position of Chief Security Strategist -- a mutation of the title that Howard Schmidt used to own.

I'm not too surprised to see that many people on the technical end of computer security have not heard of Scott; after all, most of his notoriety comes from his involvement in government related activities. Before joining Price Waterhouse Coopers in November of 1999, he served as chief of the Justice Department's Computer Crime and Intellectual Property Section where he supervised twenty-two federal officials in prosecuting hackers.

What I am surprised to see is that people, both in and outside of Microsoft, don't really seem to have a very clear idea as to what Charney will actually do.

In my last article, I charged Microsoft with hiring a person who would, by virtue of their very identity, speak directly to the new and public decree of Bill Gates that security would now be Job One for Microsoft.

I don't think they have done it.

I'm not being critical of Mr. Charney. He seems to have a good track record for doing what he was paid to do in the government and at Price Waterhouse Coopers. I just have some concerns about what his appointment might bring in the future, particularly in the context of what seems to be a trend in regard to vulnerability disclosure.

Charney's new job may look a lot like his old one.

Recently, Microsoft was awarded a patent for what they call a Digital Rights Management (DRM) Operating System, designed to protect copyrighted software or content from duplication.

Though the full explanation of a DRM OS is outside of the scope of this column, a particular aspect of it is pertinent. The proposed DRM OS would only accept drivers that were digitally signed by Microsoft. Such a system will support aspects of copy protection at the kernel level, and put very tight restrictions on what drivers could be loaded, and by whom.

With that in mind, fast-forward a bit to some point in the future when someone discovers a root exploit in the DRM OS.

Since the vulnerability would give us access to the kernel, and the kernel would give us the ability to circumvent copy protection mechanisms, certain parties might just consider the publication of such a bug -- particularly if accompanied by exploit code -- to be a technology that allows one to break digital copy protection.

And guess what? That would be illegal under the Digital Millennium Copyright Act. So under the right circumstances, where you have the right government people hooked up with the right lawyers, sharing particular information about the security hole could be considered a crime.

Think it won't happen? People have already been sued for printing DeCSS source code on T-shirts. Chew on that for a moment.

Bad Moon Rising

This would fit nicely with Microsoft's recent efforts to limit disclosure of security vulnerabilities, in Scott Culp's "Information Anarchy" piece, and the subsequent formation of the Gang of Six.

In previous columns, I said these events would not bring an end to full disclosure, and that it would be financial win for participants. I stand by that. However, when you step back a bit and look at the obvious direction that things are going, it does indeed strike a discordant note.

To get a legal perspective on this, I asked Jennifer Granick, clinical director of the Center for Internet and Society at Stanford Law School, what she thought about the implications of all this. She replied that it "didn't look good for the free flow of information." There is no question about that.

Charney is not a technologist, he is a lawyer. How convenient. He is also one of Howard Schmidt's best friends, and Schmidt is now in Washington as the vice chairman of the federal Critical Infrastructure Protection Board.

Microsoft's pick might signal that the company intends to launch a hacker crackdown of its own.

Some at Microsoft with whom I shared this point of view insist that I am being a paranoid conspiracy theorist, but I can't help but think that when you take a look at the entire picture, it stinks just a little.

Microsoft is not finished hiring security people to see their security commitment come to fruition. And there are certainly people within the organization who are resolved to making security happen. But when you consider the long journey they have ahead of them, I don't think this was a very auspicious beginning.

© 2002 SecurityFocus.com, all rights reserved.

Related Story

MS' new security czar is old govt prosecutor

Internet Security Threat Report 2014

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
In the next four weeks, 100 people will decide the future of the web
While America tucks into Thanksgiving turkey, the world will be taking over the net
Microsoft EU warns: If you have ties to the US, Feds can get your data
European corps can't afford to get complacent while American Big Biz battles Uncle Sam
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.