Feeds

Charney an ominous MS pick

Not good -- not at all good

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

At the Blackhat Security Briefings in New Orleans last week my standard opening question in conversation was, "So, what do you think about Scott Charney?"

For the most part, the standard response was, "Who's that?"

If you have not heard yet, Microsoft has announced that Mr. Charney, previously a security and cybercrime specialist at Price Waterhouse Coopers, has been named to fill the newly-minted position of Chief Security Strategist -- a mutation of the title that Howard Schmidt used to own.

I'm not too surprised to see that many people on the technical end of computer security have not heard of Scott; after all, most of his notoriety comes from his involvement in government related activities. Before joining Price Waterhouse Coopers in November of 1999, he served as chief of the Justice Department's Computer Crime and Intellectual Property Section where he supervised twenty-two federal officials in prosecuting hackers.

What I am surprised to see is that people, both in and outside of Microsoft, don't really seem to have a very clear idea as to what Charney will actually do.

In my last article, I charged Microsoft with hiring a person who would, by virtue of their very identity, speak directly to the new and public decree of Bill Gates that security would now be Job One for Microsoft.

I don't think they have done it.

I'm not being critical of Mr. Charney. He seems to have a good track record for doing what he was paid to do in the government and at Price Waterhouse Coopers. I just have some concerns about what his appointment might bring in the future, particularly in the context of what seems to be a trend in regard to vulnerability disclosure.

Charney's new job may look a lot like his old one.

Recently, Microsoft was awarded a patent for what they call a Digital Rights Management (DRM) Operating System, designed to protect copyrighted software or content from duplication.

Though the full explanation of a DRM OS is outside of the scope of this column, a particular aspect of it is pertinent. The proposed DRM OS would only accept drivers that were digitally signed by Microsoft. Such a system will support aspects of copy protection at the kernel level, and put very tight restrictions on what drivers could be loaded, and by whom.

With that in mind, fast-forward a bit to some point in the future when someone discovers a root exploit in the DRM OS.

Since the vulnerability would give us access to the kernel, and the kernel would give us the ability to circumvent copy protection mechanisms, certain parties might just consider the publication of such a bug -- particularly if accompanied by exploit code -- to be a technology that allows one to break digital copy protection.

And guess what? That would be illegal under the Digital Millennium Copyright Act. So under the right circumstances, where you have the right government people hooked up with the right lawyers, sharing particular information about the security hole could be considered a crime.

Think it won't happen? People have already been sued for printing DeCSS source code on T-shirts. Chew on that for a moment.

Bad Moon Rising

This would fit nicely with Microsoft's recent efforts to limit disclosure of security vulnerabilities, in Scott Culp's "Information Anarchy" piece, and the subsequent formation of the Gang of Six.

In previous columns, I said these events would not bring an end to full disclosure, and that it would be financial win for participants. I stand by that. However, when you step back a bit and look at the obvious direction that things are going, it does indeed strike a discordant note.

To get a legal perspective on this, I asked Jennifer Granick, clinical director of the Center for Internet and Society at Stanford Law School, what she thought about the implications of all this. She replied that it "didn't look good for the free flow of information." There is no question about that.

Charney is not a technologist, he is a lawyer. How convenient. He is also one of Howard Schmidt's best friends, and Schmidt is now in Washington as the vice chairman of the federal Critical Infrastructure Protection Board.

Microsoft's pick might signal that the company intends to launch a hacker crackdown of its own.

Some at Microsoft with whom I shared this point of view insist that I am being a paranoid conspiracy theorist, but I can't help but think that when you take a look at the entire picture, it stinks just a little.

Microsoft is not finished hiring security people to see their security commitment come to fruition. And there are certainly people within the organization who are resolved to making security happen. But when you consider the long journey they have ahead of them, I don't think this was a very auspicious beginning.

© 2002 SecurityFocus.com, all rights reserved.

Related Story

MS' new security czar is old govt prosecutor

Internet Security Threat Report 2014

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.