At the Blackhat Security Briefings in New Orleans last week my standard opening question in conversation was, "So, what do you think about Scott Charney?"
For the most part, the standard response was, "Who's that?"
If you have not heard yet, Microsoft has announced that Mr. Charney, previously a security and cybercrime specialist at Price Waterhouse Coopers, has been named to fill the newly-minted position of Chief Security Strategist -- a mutation of the title that Howard Schmidt used to own.
I'm not too surprised to see that many people on the technical end of computer security have not heard of Scott; after all, most of his notoriety comes from his involvement in government related activities. Before joining Price Waterhouse Coopers in November of 1999, he served as chief of the Justice Department's Computer Crime and Intellectual Property Section where he supervised twenty-two federal officials in prosecuting hackers.
What I am surprised to see is that people, both in and outside of Microsoft, don't really seem to have a very clear idea as to what Charney will actually do.
In my last article, I charged Microsoft with hiring a person who would, by virtue of their very identity, speak directly to the new and public decree of Bill Gates that security would now be Job One for Microsoft.
I don't think they have done it.
I'm not being critical of Mr. Charney. He seems to have a good track record for doing what he was paid to do in the government and at Price Waterhouse Coopers. I just have some concerns about what his appointment might bring in the future, particularly in the context of what seems to be a trend in regard to vulnerability disclosure.
Charney's new job may look a lot like his old one.
Recently, Microsoft was awarded a patent for what they call a Digital Rights Management (DRM) Operating System, designed to protect copyrighted software or content from duplication.
Though the full explanation of a DRM OS is outside of the scope of this column, a particular aspect of it is pertinent. The proposed DRM OS would only accept drivers that were digitally signed by Microsoft. Such a system will support aspects of copy protection at the kernel level, and put very tight restrictions on what drivers could be loaded, and by whom.
With that in mind, fast-forward a bit to some point in the future when someone discovers a root exploit in the DRM OS.
Since the vulnerability would give us access to the kernel, and the kernel would give us the ability to circumvent copy protection mechanisms, certain parties might just consider the publication of such a bug -- particularly if accompanied by exploit code -- to be a technology that allows one to break digital copy protection.
And guess what? That would be illegal under the Digital Millennium Copyright Act. So under the right circumstances, where you have the right government people hooked up with the right lawyers, sharing particular information about the security hole could be considered a crime.
Think it won't happen? People have already been sued for printing DeCSS source code on T-shirts. Chew on that for a moment.
Bad Moon Rising
This would fit nicely with Microsoft's recent efforts to limit disclosure of security vulnerabilities, in Scott Culp's "Information Anarchy" piece, and the subsequent formation of the Gang of Six.
In previous columns, I said these events would not bring an end to full disclosure, and that it would be financial win for participants. I stand by that. However, when you step back a bit and look at the obvious direction that things are going, it does indeed strike a discordant note.
To get a legal perspective on this, I asked Jennifer Granick, clinical director of the Center for Internet and Society at Stanford Law School, what she thought about the implications of all this. She replied that it "didn't look good for the free flow of information." There is no question about that.
Charney is not a technologist, he is a lawyer. How convenient. He is also one of Howard Schmidt's best friends, and Schmidt is now in Washington as the vice chairman of the federal Critical Infrastructure Protection Board.
Microsoft's pick might signal that the company intends to launch a hacker crackdown of its own.
Some at Microsoft with whom I shared this point of view insist that I am being a paranoid conspiracy theorist, but I can't help but think that when you take a look at the entire picture, it stinks just a little.
Microsoft is not finished hiring security people to see their security commitment come to fruition. And there are certainly people within the organization who are resolved to making security happen. But when you consider the long journey they have ahead of them, I don't think this was a very auspicious beginning.
© 2002 SecurityFocus.com, all rights reserved.