This is just wrong: MS security chief becomes DHS cybersecurity boss

[Virus Guy]

This is perplexing, given Microsoft's (in)compentence at foisting a line
of operating systems upon the world (starting with XP-gold) that has
directly lead to the current state of chaos.

I wonder why this administration thinks that this Micro$oft boob can
undo the carnage caused by other Micro$oft boobs.

Philip Reitinge,
chief trustworthy infrastructure strategist at Microsoft

You're kidding - right?

Someone actually has that title at Micro$haft?

In other news - how do you spell gov't contract kickbacks? Ask Philip
Reitinge.

-----------------------------

http://www.theregister.co.uk/2009/03/13/ms_dhs_boss_role/

13th March 2009 19:04 GMT

A senior Microsoft exec has been placed in charge of protecting the US's
computer systems from hacking attacks

Philip Reitinge, chief trustworthy infrastructure strategist at
Microsoft, has been appointed to the lead role in protecting the US
government's computing network from from cyberattack. He was tapped by
US Homeland Security Secretary Janet Napolitano. The role is formally
described as deputy undersecretary for the DHS's National Protection and
Programs Directorate.

Reitinger previously served as the executive director of the Defense
Department's Cyber Crime Center, which supplies computer forensics and
investigation services to the US military. He's also worked in the
Department of Justice, as deputy chief of the Computer Crime and
Intellectual Property division

The appointment follows a week after Rod Beckstrom, director of the DHS
National Cybersecurity Center, quit citing his opposition at what he
described as the National Security Agency's increased role in
cybersecurity. Reitinge will assume charge of running the centre,
according to reports.

 

[Leythos]

This is perplexing, given Microsoft's (in)compentence at foisting a line
of operating systems upon the world (starting with XP-gold) that has
directly lead to the current state of chaos.

Every computer we've put at clients offices in the last decade has
worked fine and almost all of them have run Windows operating systems.

The only people that seem to have problems are fitting into two
categories:

1) Terminally ignorant/stupid
2) Pushing the edge on systems of questionable quality

If you build a hardware stable system and don't install crappy programs
they seem to be very stable and a properly secured network means you
don't have any "chaos" problems like you pretend.

 

[Virus Guy]

Every computer we've put at clients offices in the last decade
has worked fine and almost all of them have run Windows
operating systems.

This is not a matter of "working fine". Most hardware does infact "work
fine".

This is a matter of software, particularly the Operating System, that
leaves the user vulnerable to having their system infiltrated or
remotely accessible / controllable by a third party.

In that regard, Windows XP was an excellent platform for such remote
control.

------------
Microsoft rushed XP into the home and SOHO market well before it was
ready to protect itself from internet intrusion. Microsoft did that,
because it was more important to retire an older (but more secure)
operating system (win-98) in favor of one that required serialized
activation (WPA) - which was XP. The sooner Win-98 could be flushed
from world-wide useage, the less that Microsoft would have to worry
about software piracy through filesharing and emerging P2P technologies.
-----------

And it did not matter who the user / operator was of the infected
machine. Some of the legendary network worms that emerged in 2003 and
2004 did not require anything from the user other than to turn on their
machine.

If you build a hardware stable system and don't install crappy
programs they seem to be very stable and a properly secured
network means you don't have any "chaos" problems like you
pretend.

You clearly either weren't around, or have selective memory, regarding
the exploits that were circulating in 2002 through 2004 for win-2K and
XP systems that rendered them infected virtually within minutes of
having an internet connection.

I suggest you google the phrase "internet survival time".

And you also downplay the role that DNS poisoning and server-farm
hacking plays in malware distribution. Many otherwise well-protected
and carefully used systems are infected through those mechanisms, NOT
because the user installs questionable software or visits questionable
websites.

You, and others like you, like to blame the user when a system becomes
infected. Yet you refuse acknowledge that the malware industry is
always striving to perfect distribution and infection mechanisms that
doesn't rely on the user visting questionable websites, opening
questionable e-mail attachments, or installing questionable software.

Philip Reitinge worked for (Department of Defence,
Cybercrime Center) and US Dept of Justice before Microsoft
so he has the qualifications.

He has connections, but likely little to no technical knowledge about
how the world came to be in such a botnet mess, and he is (or will be) a
likely Microsoft sympathiser / appologist in his new role. The
positioning of former Microsoft employees at high-levels within the US
gov't will be of great benefit to Microsoft as they continue to defend
themselves in court on antitrust charges.

 

[Virus Guy]

I don't know why you qouted ' "David H. Lipman" wrote: ' but
not what I wrote.

Yes, you did write the following in another post in this thread:

-----------------
Philip Reitinge worked for https://www.dc3.mil/ and
http://www.usdoj.gov/criminal/cybercrime/index.html
before Microsoft so he has the qualifications.
-----------------

So why are you claiming otherwise?

No matter, I beg to differ from your presumption.

That Philip Reitinge is not qualified (or appropriate) in the DHS role?

 

[Leythos]

This is a matter of software, particularly the Operating System, that
leaves the user vulnerable to having their system infiltrated or
remotely accessible / controllable by a third party.

In that regard, Windows XP was an excellent platform for such remote
control.

And if you were paying attention for the last so many years, you would
be aware of how to limit the exposure.

I've been working with computers since the late 70's and never had one
compromised by ANY malware of any type. Our networks are also setup to
be secure while still allowing businesses to do business related tasks,
and they've not been compromised....

Security is about what YOU know.

 

[Virus Guy]

And if you were paying attention for the last so many years, you
would be aware of how to limit the exposure.

What - like axing your internet connection?

I've been working with computers since the late 70's and never
had one compromised by ANY malware of any type.

Any experience prior to, oh, say, 1995 is irrelavent to today's security
discussions. Any experience you have between, oh, say, 1995 and 2000 is
questionable in today's context.

Our networks are also setup to be secure while still allowing
businesses to do business related tasks, and they've not been
compromised....

There are very few situations where what you say can be true:

1) the networks / lans you set up or manage have no internet
connectivity

2) the networks /lans you set up or manage have a handful of
people, and you personally stand behind them and monitor
their personal web-surfing and email-opening behavior.

Does 1 and 2 sound ridiculous? Well 2 certainly does. But unless you
are Superman of the network LAN, no sys-admin can claim they've kept
malware off a corporate lan of any significant size for the better part
of 10 years. So your claim is highly suspicious, if not pure hyperbole.

Security is about what YOU know.

If you've never personally seen malware on any machine you've installed,
managed, administer, or troubleshoot, then I'm highly suspicious of your
diagnostic methods and techniques or your powers of observation.

Because other than using a pair of wire cutters to severe your corporate
lan from the internet, there has never been a completely fool-proof set
of products, proceedures, AV scanners and timely OS updates and patches
that come together 100% of the time, every time, to stop or block every
new threat that comes down the pipe.

 

[Leythos]

What - like axing your internet connection?

Nope, personally, at home, I have full access to the intenet from many
stations, but, like with our corporate designs, I filter content from
HTTP, SMTP, FTP, and block many file types. I even have one machine that
can download exe/com files and then we test and distribute them from
that location.

Any experience prior to, oh, say, 1995 is irrelavent to today's security
discussions. Any experience you have between, oh, say, 1995 and 2000 is
questionable in today's context.

But it shows that even back then it was about understanding and about
thinking - cracking a network is much different today than it was back
then, it was easier, but today it's almost as easy to secure one with
the vast array of tools that they have built for us to use.

There are very few situations where what you say can be true:

And you've just proven how little you know about security and how much
of a troll you are.

1) the networks / lans you set up or manage have no internet
connectivity

You can easily have connectivity to APPROVED business necessary sites.

2) the networks /lans you set up or manage have a handful of
people, and you personally stand behind them and monitor
their personal web-surfing and email-opening behavior.

LOL, again, you show that you don't have ANY corporate experience and
that you've completely misunderstood security.

Since users can't access "Personal" stuff on the web, since the logs are
monitored in real time, since ONLY necessary ports are open, since all
ports are inspected, etc... heck, why do you need to monitor them by
standing at their desk, they don't have access to PERSONAL stuff while
at WORK. Oh, and email is monitored, after X number of emails, based on
the role of the person, it triggers a flag that causes an manual
inspection of their emails - while not a threat, we have found people
that sent upwards of 800 emails per shift/day to friends instead of
working, and they were fired.

Does 1 and 2 sound ridiculous? Well 2 certainly does. But unless you
are Superman of the network LAN, no sys-admin can claim they've kept
malware off a corporate lan of any significant size for the better part
of 10 years. So your claim is highly suspicious, if not pure hyperbole.

Sure, it's easy - what you don't understand is basic security. In a
proper environment everything is blocked unless it's proven to be a
business need, everything is filtered and inspected and many file types
are completely blocked in HTTP/SMTP/FTP, and USB ports are disabled by
GPO settings, so are CD/DVD drives.... It's very easy.

So, you've show that for someone with the handle of "Virus Guy" that you
really know very little about malware or the protection from it.

If you've never personally seen malware on any machine you've installed,
managed, administer, or troubleshoot, then I'm highly suspicious of your
diagnostic methods and techniques or your powers of observation.

And you should be, since you don't appear to understand or know anything
about security.

Because other than using a pair of wire cutters to severe your corporate
lan from the internet, there has never been a completely fool-proof set
of products, proceedures, AV scanners and timely OS updates and patches
that come together 100% of the time, every time, to stop or block every
new threat that comes down the pipe.

And yet you don't seem to understand how one can be secure while using
their network.

 

[Leythos]

I guess you have never worked in a totally locked-down corporate
environment. You can't surf, you can't send or receive emails to/from
the outside world, you can't install anything, nothing. It was all
blocked or if you went to what they considered approved sites with a
browser, the site was reduced to being just text only.

We don't go near that far, at least not in sites that are not military,
but as a general rule, all sites/ports are blocked unless a "Business
Need" is shown and approved. The same with file content - HTTP/FTP/SMTP
files/content is blocked unless it's shown to have a business need and
then it's almost always scanned/filtered by 2 different products.

I had to even get permission and be setup to even send notification
emails on the corporate LAN to a select few support persons for the
application that was using the Web server's SMTP on the corporate LAN.
I have contracted in a couple of environments like that as a programmer.
I did have admin rights on the machine to do programming stuff, but
other than that, total lock-down for all but a very few.

In general, users never run as more than "Local Users", even in my home.

 

[FromTheRafters]

So, you've show that for someone with the handle of "Virus Guy" that
you
really know very little about malware or the protection from it.

D

 

[Virus Guy]

I guess you have never worked in a totally locked-down corporate
environment.

It's not that, and it's not that I don't doubt that there such corporate
environments.

If someone is going to set up such an environment, then what are they
doing here, bragging that they're such a genius that they can keep
malware off their systems? I too can claim I've never had a car
accident if I keep my car parked in my driveway for 10 years. Does that
make me a good driver?

There are plenty of home, soho, edu and other entities that are not
going to be compatible with such an environment. Now tell me how you've
kept malware off a set of those machines, since the 1970's even.

 

[Virus Guy]

LOL, again, you show that you don't have ANY corporate experience and
that you've completely misunderstood security.

The vast majority of computer use is NOT in a locked down setting. Be
it home, soho, education, instituational, corporate, etc.

Even within locked-down networks, it's still possible for malware to
circulate within those networks from people bringing in infected media.

Since users can't access "Personal" stuff on the web,

So that's your solution?

In a proper environment everything is blocked unless it's proven
to be a business need,

You are clearly not addressing the wider audience that reads these
posts.

which is basically what you've admitted is what you do, so don't blather
on that I don't understand that concept

And yet you don't seem to understand how one can be secure while
using their network.

Your idea of securing a PC or a network is not compatible with the vast
majority of PC usage currently. (but I'm not saying that it doesn't
work, nor that it's not absolutely necessary for some entities).

It goes without saying that with enough network appliances, with enough
network admins, with enough policy settings, that you essentially cut
the internet connectivity to the corporate desktop machine while still
giving it all the LAN it needs. So I'm supposed to be inpressed that
that's your solution?

 

[Leythos]

It's not that, and it's not that I don't doubt that there such corporate
environments.

But there should be the majority setup like that, instead it's the
minority that are properly setup.

it should not be just "Corporate", it should be your home too.

If someone is going to set up such an environment, then what are they
doing here, bragging that they're such a genius that they can keep
malware off their systems? I too can claim I've never had a car
accident if I keep my car parked in my driveway for 10 years. Does that
make me a good driver?

I wasn't bragging, I was stating a fact that shows you don't know what
you're talking about. You can secure a home just as easily, if not more
easily, as you can a corporate office or small business.

The point is that you claimed Windows was chaos, but that's because of
your lack of experience and your lack of understanding the threat base
as well as the methods to block threats. In reality, the problem with
Windows OS is not the OS, since the security issues are well documented,
it's the ignorant and terminally stupid that ignore the masses of
information telling them how to protect their system.

There are plenty of home, soho, edu and other entities that are not
going to be compatible with such an environment. Now tell me how you've
kept malware off a set of those machines, since the 1970's even.

Wrong, they are 100% compatible with it, but you have to have a company
that's willing to enforce it instead of believing that Employees should
be given personal time on the company/school network - which they should
not.

Oh, and I could lock down a school network just as easily and still give
the students the ability to research their papers/projects.

Your ignorance and ego are showing VG, just like your personal attack
need in the subject.

 

[Leythos]

The vast majority of computer use is NOT in a locked down setting. Be
it home, soho, education, instituational, corporate, etc.

What they "Are" and what they "Should" be is the problem and it shows
that you're mindset is part of the problem.

Even within locked-down networks, it's still possible for malware to
circulate within those networks from people bringing in infected media.


So that's your solution?

Part of it, there is no reason to do more than work while at work. You
don't have a "Right" to access personal things from the office.

You are clearly not addressing the wider audience that reads these
posts.

Yes, I clearly am, you just don't like what you're reading.

which is basically what you've admitted is what you do, so don't blather
on that I don't understand that concept

Hardly, but since you can't comprehend a secure network while still
being able to fully support the business, well, you will never
understand.

Your idea of securing a PC or a network is not compatible with the vast
majority of PC usage currently. (but I'm not saying that it doesn't
work, nor that it's not absolutely necessary for some entities).

Wrong, it's 100% compatible with WORK, and 100% compatible with Home.
Why do you need access to Yahoo Mail from work if your company doesn't
use Yahoo Mail? Why do you need access to Yahoo anything from Home if
you don't have accounts there?

Why do you need the google toolbar on your computer? Etc....

The reason it's not implemented for the vast majority of PC's is because
of people with your mindset - that it must be a problem to secure the
PC, it must be restricting something "I believe I need, even though I
don't know what that is"....

It goes without saying that with enough network appliances, with enough
network admins, with enough policy settings, that you essentially cut
the internet connectivity to the corporate desktop machine while still
giving it all the LAN it needs. So I'm supposed to be inpressed that
that's your solution?

It takes just 1 admin, part time, after the solutions are put in place,
to keep it running and secure. You're suppose to realize that you're
missing a LOT of the picture and are not comprehending what you're being
told, and that you should go and study security if you want to learn how
to EASILY secure your home/work networks.

 

[Virus Guy]

I wasn't bragging, I was stating a fact that shows you don't know
what you're talking about. You can secure a home just as easily,
if not more easily, as you can a corporate office or small business.

And you don't know what you're talking about.

You haven't sufficiently considered the use-case and the admin and
equipment costs that these other users (home, soho, etc) would have to
face in order to replicate your idea of a safe computing environment.

If it's so easy, if it's so cheap, if it's so ergonomic, then why isin't
it more common?

Because it's not easy, it's not cheap, and it's not ergonomic. Not for
the home user, not for the soho user, and not important enough for most
institutional users. The cost/benefit is simply not there.

The point is that you claimed Windows was chaos,

What are you, a Microsoft appologist?

The truth is that Microsoft largely created the current untrustworthy
and vulnerable computing environment by rushing the release of XP-gold
back in the fall of 2001. Whether by design, or dumb luck, the OS it
was designed to replace (win-98se) was far less vulnerable to the
exploits that surfaced during the 2002 and beyond time frame.

but that's because of your lack of experience

I have a LACK OF NEED to create the locked-down computing environment
that you promote. That means I actually have MORE experience than you
do at working with PC's that are constantly exposed to malware and
intrusion vectors from all directions.

I also do not share the same cost/benefit ratio that you do in terms of
a locked-down network, be it a single home PC or a cluster of 5 to 10
soho machines.

and your lack of understanding the threat base as well as the
methods to block threats.

By not having a locked down network, I've experienced first-hand which
threats have (and haven't) gotten through to which machines running what
OS's. Over the past 10 years, the numbers are indeed very small (for me
anyways). Then again, my machines are not part of a network that's
involved with launching ICBM's. (your flippant remark will no doubt
come next).

In reality, the problem with Windows OS is not the OS,

Many linux and OSX people would disagree with you.

since the security issues are well documented,

After they've been discovered and exploited. And in many cases never
patched by the vendor or the user.

it's the ignorant and terminally stupid that ignore the masses
of information telling them how to protect their system.

And it's ignorant and terminally stupid to think that every home PC user
is fixated on the vulnerability and security situation of their system.

Wrong, they are 100% compatible with it, but you have to have a
company that's willing to enforce it

What is it about the home user and soho network that you don't
understand?

Not every home/soho has an IT department, you know.

Your ignorance and ego are showing VG

Take your head out of your ass and look around. Not everyone at home or
in their Small Office Home Office (SOHO) has an IT department working
for them, nor would they tolerate having a locked down and utterly
over-managed internet experience.

You constantly disregard any use-case or environment other than the
gov't (or perhaps military) computing environment.

 

[Virus Guy]

I am working in a shop now where the developers (...)
and there is no AV on the machines
and we do surf and do emails with the outside wrold
I don't think there is an AV on the machine in the entire company

With protect mode on in IE 7 ...
with other features implemented on those platforms ...
there seems to be no need for AV's and other such solutions.

Don't tell that to Leythos.

He doesn't / won't believe it.

He would have a screaming fit and take an ax to your internet connection
until he puts a few blocking appliances on your network boundary and
hand picks the websites your developers can access. He'll relegate them
all to user status and lock down their machines and he'll be the only
one with admin privileges.

He'll be like the soup nazi. He'll tell your developers "No more
youtube for you!".

No more facebook, no yahoo, no hotmail, no google, no gmail, no ebay, no
wikipedia.

But don't worry, because after a month of that you'll have no
developers.

 

[Leythos]

I have a LACK OF NEED to create the locked-down computing environment
that you promote. That means I actually have MORE experience than you
do at working with PC's that are constantly exposed to malware and
intrusion vectors from all directions.

You really have ego and comprehension problems.

If you think that you have "MORE" experience with computers and fighting
malware on computers than someone that designs and maintains secure
networks then you've really shown the group what moron you are.

 

[Leythos]

Don't tell that to Leythos.

He doesn't / won't believe it.

Sure I would, you're the idiot that claims that Windows is not secure.

I know home users that have run for years without AV software and with
nothing more than a simple NAT router and their machines were clean of
all detectable malware when check.

So, which way do you want it - either Windows is the problem or the
people, like you, are the problem. I'm going with PEOPLE like you are
the problem.

 

[Leythos]

BTW, I am using my laptop to post, which is connected to the company's
wireless. Of course, the machine cannot reach the domain.

And a properly secured network would not have permitted you to connect

 

[Leythos]

Oh, I have exposed that on a couple of networks, and I was cut off in
short order as they knocked out my ability to connect to use the WAN
connection. And a message sent to all contract developers in a meeting.

It's just at this company that I am working at now are they a little
laxed on the wireless. It's open to the public.

LOL - I worked as a contractor for a small company many years ago, was a
doing DBA work, and they let me use my own laptop. Two days later they
were complaining that I had brought a virus into their network.... As it
was traced back, it was found that the IT Admin, head of IT, had been
using his laptop to surf porn and gambling sites at home, without any
firewall, and was then bringing the same laptop into work - and he was
logging into the network as a domain admin, making it that much easier
to spread the malware.....

 

[Leythos]

Yeah, I believe you about the porn. There was this accounting controller
that would go to the sites during his lunch brake that he took in his
office. Of course, the traffic was seen, and he was fired once the
evidence was gathered and presented to the president and vp(s) of the
company.

I was in charge of a large development team before starting my own
company. They had no real protection when I got there. I installed
managed AV, firewall, filtering, etc...

Everyone had to sign a Acceptable Use policy document that stated they
COULD be fired for any infraction of the policy - some quit rather than
sign it, no real loss.

The very next day, several of the ones I though would not be PORN
addicts were in more than an hour early and I watched the firewall
monitor (we had not enabled blocking) show the sites and file downloads
to their system...

I told everyone in a meeting that we were going to monitor, gave them
fair warning, didn't name any specific people, and the next day the same
thing happened - this time I posted the logs on the board in the lunch
room - the next day they were not in early and didn't do it again. At
that point I turned on blocking and it was really amazing how much
productivity the shop gained, almost 40% increase in productivity over
the previous 30 months, in just 1 week.

Yes, we had the whiners, the complainers, the people that claimed they
had a right to access personal email during their breaks - I said fine,
do it without using any company resources, without our electricity, and
if you bring a computer/laptop into the shop, according to policy, we
get to inspect it at cost to you..... Worked that way for years without
a problem.