Feeds

Charney an ominous MS pick

Not good -- not at all good

  • alert
  • submit to reddit

Next gen security for virtualised datacentres

At the Blackhat Security Briefings in New Orleans last week my standard opening question in conversation was, "So, what do you think about Scott Charney?"

For the most part, the standard response was, "Who's that?"

If you have not heard yet, Microsoft has announced that Mr. Charney, previously a security and cybercrime specialist at Price Waterhouse Coopers, has been named to fill the newly-minted position of Chief Security Strategist -- a mutation of the title that Howard Schmidt used to own.

I'm not too surprised to see that many people on the technical end of computer security have not heard of Scott; after all, most of his notoriety comes from his involvement in government related activities. Before joining Price Waterhouse Coopers in November of 1999, he served as chief of the Justice Department's Computer Crime and Intellectual Property Section where he supervised twenty-two federal officials in prosecuting hackers.

What I am surprised to see is that people, both in and outside of Microsoft, don't really seem to have a very clear idea as to what Charney will actually do.

In my last article, I charged Microsoft with hiring a person who would, by virtue of their very identity, speak directly to the new and public decree of Bill Gates that security would now be Job One for Microsoft.

I don't think they have done it.

I'm not being critical of Mr. Charney. He seems to have a good track record for doing what he was paid to do in the government and at Price Waterhouse Coopers. I just have some concerns about what his appointment might bring in the future, particularly in the context of what seems to be a trend in regard to vulnerability disclosure.

Charney's new job may look a lot like his old one.

Recently, Microsoft was awarded a patent for what they call a Digital Rights Management (DRM) Operating System, designed to protect copyrighted software or content from duplication.

Though the full explanation of a DRM OS is outside of the scope of this column, a particular aspect of it is pertinent. The proposed DRM OS would only accept drivers that were digitally signed by Microsoft. Such a system will support aspects of copy protection at the kernel level, and put very tight restrictions on what drivers could be loaded, and by whom.

With that in mind, fast-forward a bit to some point in the future when someone discovers a root exploit in the DRM OS.

Since the vulnerability would give us access to the kernel, and the kernel would give us the ability to circumvent copy protection mechanisms, certain parties might just consider the publication of such a bug -- particularly if accompanied by exploit code -- to be a technology that allows one to break digital copy protection.

And guess what? That would be illegal under the Digital Millennium Copyright Act. So under the right circumstances, where you have the right government people hooked up with the right lawyers, sharing particular information about the security hole could be considered a crime.

Think it won't happen? People have already been sued for printing DeCSS source code on T-shirts. Chew on that for a moment.

Bad Moon Rising

This would fit nicely with Microsoft's recent efforts to limit disclosure of security vulnerabilities, in Scott Culp's "Information Anarchy" piece, and the subsequent formation of the Gang of Six.

In previous columns, I said these events would not bring an end to full disclosure, and that it would be financial win for participants. I stand by that. However, when you step back a bit and look at the obvious direction that things are going, it does indeed strike a discordant note.

To get a legal perspective on this, I asked Jennifer Granick, clinical director of the Center for Internet and Society at Stanford Law School, what she thought about the implications of all this. She replied that it "didn't look good for the free flow of information." There is no question about that.

Charney is not a technologist, he is a lawyer. How convenient. He is also one of Howard Schmidt's best friends, and Schmidt is now in Washington as the vice chairman of the federal Critical Infrastructure Protection Board.

Microsoft's pick might signal that the company intends to launch a hacker crackdown of its own.

Some at Microsoft with whom I shared this point of view insist that I am being a paranoid conspiracy theorist, but I can't help but think that when you take a look at the entire picture, it stinks just a little.

Microsoft is not finished hiring security people to see their security commitment come to fruition. And there are certainly people within the organization who are resolved to making security happen. But when you consider the long journey they have ahead of them, I don't think this was a very auspicious beginning.

© 2002 SecurityFocus.com, all rights reserved.

Related Story

MS' new security czar is old govt prosecutor

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?