Aug. 5, 1998 Transcript of an Online Chat With Howard Schmidt

Howard Schmidt, Director of Information Security for Microsoft Corporation was online to discuss high-tech crime and security issues.

The chat was live from the 8th Annual International Symposium on Criminal Justice Issues, sponsored by the Office of International Criminal Justice (OICJ), at the University of Illinois at Chicago. The focus of this year’s conference is high-tech crime, information warfare, and terrorism in cyberspace.

Chicago, Il.: What has to happen to make the Web a truly secure place to sell goods
and services?

Howard Schmidt: The web is currently a secure place to do business, The issue is more one of knowing who you are oding business with and that you are using a secure encrypted session

WASHINGTON, DC: HOW DO YOU STOP SEX COMPANIES FROM SENDING YOU MAIL VIA THE INTERNET?

Howard Schmidt: The unsolicited e-mail (or SPAM) has been everything from an annoyance to downright offensive. The newer e-mail packages give you the ability to block email address and or text containing certain phrases (XXX for example) These have helped reduce the SPAM

Chicago, Il. : What is the most fascinating case involving computers that you've dealt
with?

Howard Schmidt: Probably the most fascinating was the one where the hackers "hopped" around the world trying to hide their tracks. The coordination of various governments, law enforcement agencies and corporations made it REAL interesting.

Doha, State of Qatar: I would like your views on the US Government's export restrictions on encryption code. It seems to me a short sighted view harmful to US based software developers. The technology will be developed by someone, why not by someone in the US?

Howard Schmidt: While there is a valid concern for criminals using encryption to conduct their business, there is a bigger need for the security of our systems. There are quite a number of encryptions programs availible and any restrictions limits the abilities of US companies to compete.

Arlington, Va.: What is Microsoft developing to protect children from online crime?

Howard Schmidt: Microsoft has built parental controls into the Web Browsers, We also participate in education forums to help parents work with their children to be safer online. We also provide training for law enforcement to assist them in these types of investigations.

St Louis: How to make PIN protected Banking transactions through modem more secure and reliable ?

Howard Schmidt: For the most part these types of transactions are secure and safe

Washington, DC: i've heard of a case where email is sent to someone, and the person opened the email, then a virus started loaded up into all software programs. can one prevent this ?

Howard Schmidt: Many of these stores have been proven to be false. When in doubt and you don't know the sender delete the mail

Arlington, Va.: What can Web surfers do to protect their privacy?

Howard Schmidt: First off surf smartly, don't give your information out to those you don't know, Secondly set you security setting to alert you when information is going out in the clear.

Arlington, VA: What advice do you have for minimizing attacks by "phreaking"?

Howard Schmidt: Changing default password drastically reduces the risk of "phreaking" Also using strong passwords and changing them often helps a lot. There are also good audit tools out there to monitor activity on PBXs

Alexandria, VA: Curious to your thoughts on Law Enforcement and Computer Crime. Their expertise seems to be lacking in this field.

Howard Schmidt: There has been a great increase in the training provided for law enforcement, organizations like the National White Collar crime center now provide classes around the country to train law enforcement to deal with these type of crimes

Chicago, Illinois: Howard, How can the average Internet user secure data on their own machines from being compromised while they are online?

Howard Schmidt: First off, do not share your system (networks share) secondly, Get online on the websites like http://www.microsoft.com/security and get the online information on securing your system.

Judith Doherty: We are roughly half-way through this live online discussion with cybercrime expert Howard Schmidt in Chicago.

Send your questions by clicking on the Submit Question hyperlink.

WASHINGTON, DC: HOW ARE COMPANIES ABLE TO GET YOUR E:MAIL ADDRESS WHEN THEY WERE UNSOLICITED?

Howard Schmidt: As online users we often leave our e-mail address in places we do not realize. There also are groups that sell this information to direct marketers without our knowledge. Look for the fine print and if you do not want to get mail let the company know you don't. But be carefull some will use your reply to confirm they have a good email address.

Palo Alto , CA: in several cases, university researchers have shown security flaws in Microsoft products,and microsoft released a path. Why couldn't release a more product first time? In some cases, the releases are very buggy.

Howard Schmidt: All software developers wish it could be done right the first time but with all of the different configurations,software packages and programs that might conflict it doesn't always happen the first time. We work closely with the universities to correct them ASAP

Washington, D.C.: What is the story with the recent problem Microsoft and Netscape mail products are having with attachments and potential code attacks?

Howard Schmidt: For details, check the web sites of the browser companies. The information (and fixes) are often posted there for all to see and fix

Chicago, Illinois: What role do you believe the private sector will play in countering cyber-terrorism pursuant to the President's Commission on Critical Infrastructure Protection?

Howard Schmidt: As the PCCIP stated, the owners and operators (private sector) need to work with the government in a partnership capacity to secure the infrastructure. The respective groups are meeting on a regular basis to make this happen

Alexandria, Va: I am not sure if anybody ask you already, I would like to ask your opinion about the current Hackers conference and their intent to distribute a program that can distr microsoft's system.

Howard Schmidt: Having attended a number of those conferences they always lead to some interesting meetings. As these types of programs are distributed we all work to reduce their effects and insure that they can cannot do harm to our systems

Palo Alto, California: I'm an American visiting home after many years in Europe and am amazed at the ignorance of a vast number of Americans when it comes to the global picture. What is it going to take to get Americans to become more interested in developments in business, politics, crime -- and threats from future infowars -- aside from direct attacks upon their own personal assets? Can Americans afford to ignore developments outside the US that set the stage for absolute mayhem everywhere (US included)?

Howard Schmidt: I am not sure who you have been communicating with that takes that attitude, but the vast majority of the people I deal with very much see the the global picture and react accordingly

windsor ct: How dominant do you think the WEB or the Internet will be in 10 or 20 years down the road?

Howard Schmidt: It it hard to say what theology will be in place then, but I can say whatever it is it will be global in nature, and real time just like this session!

Wash. DC: Is there a good way to keep a hacker from messing with files on an Internet server or knowing if one has?

Howard Schmidt: There are a number of server software auditing programs out there to help detect if someone has changed or accessed your systems. Intrusion Detection software alerts you in advance

Yorktown, NY: Is there any difference in the security level of secure online transactions, and credit card verification modems in use by most stores these days?

Howard Schmidt: I don't know the technical details between the two encryption/authentication methods. Sorry

Chicago, Il.: As a security expert, what's your worst nightmare? How likely is it that
your fears will become reality?

Howard Schmidt: Coming to work and finding I no longer have access to log in. :<)

Chicago, Il. : What are the major security threats and problems you are currently
dealing with?

Howard Schmidt: The security threat I most often see is failing to install security patches on a timely basis. Weak passwords is next inline

Prague, Czech Republic: Do you feel that Central & East European countries that are first round candidates for EU and NATO membership could be good potential partners in the fight against high-tech-aided crime and infowar originating from other regions? If so, why does it seem that so many US, and other foreign, IT vendors employ local managers that know so very little about these topics or show no real interest in such future-oriented topics (they don't tune into many known channels)? Can efforts to educate be stronger? And do managers in IT companies back in the US really care to become more informed of the threats and opportunities, in terms of high-tech-aided crime and infowar, eminating from Central & Eastern Europe?

- Steven Slatem
IntelliTech Media, Inc.

Howard Schmidt: I don't have time to answer all of these but I will try to hit one part. The efforts to educate can always be stronger. Many companies and government agencies are working with these countries to provide better security

Vienna, VA: I have Windows98 CD now. But I
am hesitant to install it on my computer. The reason for that is that I'm afraid that
some of the hardware (e.g. printer, DVD board) are not supported by Windows98. What's my best option in deciding whether or not to install it?

Howard Schmidt: Check out the Microsoft Web site for any compatibility problems and with the hardware provider for any updates. My experience has been it is more compatible (and PLUG & PLAY ) then ever

Washington, DC: What are your sources for obtaining good information on high-tech crime? I would like to track such trends, but don't know which sources are the best bet. Thanks!

Howard Schmidt: Groups like the National White Collar Crime Center, High Tech Crimes Investigators Association and the Federal Computer Investigations Committee are all good sources

Judith Doherty: We're out of time now … so let's bring this online chat to a close. Microsoft security chief Howard Schmidt has answered your questions … live from Chicago. Thanks to all for participating.

Tomorrow at 1 p.m. EDT, come back for a live chat with encryption and info warfare expert Dorothy Denning of Georgetown University. And on Friday, our guest from the cybercrime conference will be retired FBI profiler William Tafoya, who worked on the UNABOM case. See you then.