MICHAEL B. SCHER mbs -at- cultural.com Located in Southern New Hampshire Objective: A position allowing me to apply my knowledge of risk management, legal issues, security policy, and technical solutions in a challenging environment. EMPLOYMENT 1/11-present VP, General Counsel 12/04-12/10 General Counsel, Compliance Architect Nexum, Inc. Privately-held IT security reseller, MSSP, and security architecture firm Chicago, IL Advise on and oversee company legal risk, contracts, NDAs, vendor partnership agreements, corporate policy and MSSP policy. Draft agreements and create overarching legal strategy for client and partner relationships. Oversee policy and technology risk practice. Specify and manage assessment engagements, standardize assessment reporting, process, and edit all corporate public-facing documents including technical deliverables. 6/04-12/04 Principal/Consultant Cultural Consulting; direct consulting to client organizations Chicago, IL Legal research and consultation for several clients. Acted as interim Director of Security Architecture for F500 insurance conglomerate. Researched new IT security product market and policy initiatives for start-up software firm. 3/01-6/04 Director of Neohapsis Labs, General Counsel Neohapsis, Inc. Chicago, IL Spearhead compliance/QA labs and security product testing standards development. Coordinate protocol and application level testing of vendors' products, beta and release. Advise on legal aspects of risk assessment and mitigation. Draft and review clent contracts, NDA agreements, and internal IP policy. 5/00-3/01 Director of Security and Network Infrastructure BrightSage/EthnicGrocer.com Chicago, IL Risk mitigation in IT services sector. Specify, design, oversee, and implement complex network and systems architectures for the ASP arm of a B-to-C specialty retailer. Created systems standards, security policy and best practice documents, procedures for IT, and oversaw the e-commerce datacenter systems and systems staff. Provided training, firewall and client back-end integration design, troubleshooting, and setup. 6/98-5/00 Senior Network Consultant Tribune Information Systems, Network Technology Architecture group Chicago, IL Coordinate policy development and draft IT security policy. Created Best Practice Advisory (BPA) document series to guide staff and administrators in daily tasks and long-term design. Performed emergency server security evaluations and locked down mission critical systems including Peoplesoft/payroll servers. Coordinated and participated in four-month audit of corporate web site installation (140 sites in all), CGI back-ends, database installations, user and automated access methods and server and network security. Designed and documented standard, company-wide extranet installation. Coordinated stringent evaluation of VPN and firewalling products which included discovery of several severe security and reliability bugs in popular commercial security solutions. Assumed supervisory role in a number of long-term security development projects from universal SNK token access to documenting a set of standard, uniform remote access specifications. 3/97-6/98 Consultant Cultural Consulting; subcontracting to a number of firms Chicago, IL Performed security audits and accessibility evaluations for a number of clients, under subcontract to several firms. 3/98 Financial Business Information Provider [restricted under non-disclosure] Security evaluation of production network, including extranet services and nationwide "back-end" live database applications. Discovered and closed several critical holes in firewalls and extranet design using custom tools. Second-phase network testing performed using ISS Scanner. 12/97 West Coast gas & electric company [restricted under non-disclosure] Security penetration test of entire network scheme in preparation for forthcoming control systems merger under deregulation. Test resulted in team achieving control of electrical grid, billing, and monitoring for region. 6/97 Interaccess Company Chicago, Illinois Secure setup of new user servers for large, Illinois-based ISP; recommended retooling of staff access utilities to help ensure servers remain as secure as possible while in use as general user machines. 3/97 Mobile Communications division of an RBOC [restricted under non-disclosure] Security penetration test of entire network scheme for management and control of forthcoming PCS phone system. 5/96-6/97 Senior Systems Administrator/Security Analyst Netural/U. S. Host Chicago, IL Shook down systems and networks for security problems; created and implemented operations, backup, and security systems and policies; recommended equipment purchases and software upgrades; performed security consultation, development, and implementation at client sites for SunOS/Solaris, FreeBSD, IRIX, OpenBSD, AIX, Cisco, Livingston, and various ISDN and analog communications products. Consulting clients: 10/96-12/97 Cinch Connectors, a Labinal Company Lombard, Illinois Set up custom dual-homed bastion Internet gateway with HTTP/FTP proxying and SMTP and POP mail services with IP and user-based access controls on Solaris 2.5.1 Sparc platform for integration into HP/UX Universe environment. Project included design and development of a lpr/lpd replacement for more secure printing to the internal print servers. 3/97 Ambassador Apartments Chicago, Illinois Shakedown and reconfiguration of two recently compromised SGI systems, including bastion Gauntlet firewall machine; installation of more secure mail and filtering configurations and misc. other security replacement software. 6/94-5/96 Systems Analyst, Small Systems troubleshooter University of Chicago Library Repaired, set up, upgraded, and designed small computing systems for library staff; set up public access kiosks running Linux and Windows, and advised on security for same and for Sun and Linux servers while taking classes in pursuit of PhD. 1/94-6/95 General Counsel; Systems Administrator Tezcat Communications Chicago, IL In-house practice advising on Tort, Contract, and Commercial Law [UCC, including paper and Article 9], equity, state computer crime law, and copyright and trademark liability; performed as well daily systems administration, security evaluation of servers, and incident response. Tezcat was the fifth Internet Service Provider in the Chicago area. 5/92-5/93 Research and Teaching Assistant Duke University School of Law Durham, NC Designed and taught first-year Legal Writing course for dual degree candidates (J.D. with concurrent LL.M. or M.A.); researched specific problems in Torts for Professor Martin Stone. 1/92-12/92 Law Library Research Network Consultant Duke University School of Law Durham, NC Trained students in the use of legal research software and services; troubleshot computer problems for students and faculty; maintained the Student Research Network computers. 5/91-8/91 Law Clerk Maloof, Lebowitz, and Bubb Florham Park, N.J. Wrote and edited sections of briefs; outlined arguments; participated in legal research and document discovery. Designed searchable, indexed document repository for briefs and other filings, which saved the firm thousands of hours over the next decade. The firm focused on environmental insurance defense that Summer as lead counsel in a series of superfund-derived cases. EDUCATION University of Chicago Chicago, Illinois Graduate Division of Social Sciences Department of Anthropology Currently candidate in write-up phase of Ph.D. program Editorial Board, Section Editor, Chicago Anthropology Exchange, 1994-1996 Duke University Durham, North Carolina Graduate School Department of Cultural Anthropology A.M., September 1993 (concurrent with J.D. program) Thesis: Dispute Resolution: A Look at the Subject and its Discipline Concentrations: Legal anthropology; sociolinguistics School of Law J.D., May 1993 Dean's Advisory Committee College of Arts and Sciences A.B. (Cum laude), May 1990 Majors: Cultural Anthropology, English (Writing) Angier B. Duke Memorial Scholarship Recipient Layout Director, Publications Board LECTURES 6/18/96 "Hype" Summercon 96 Talk on the dangers of media and law enforcement hype at annual hacker convention. 1/16/98 "Computer Security and Intrusion: The Technical (a sketch of things to come)" John Marshall Law School Lecture on computer security concepts, complex system intrusion trends and predictions; given as part of the "Doing Business in a Networked World" conference. 10-11/99 Two lectures at John Marshall Law on infrastructure security and technical means of protecting information for David Loundy's class, IT 848: Computer Crime, Information Warfare, and Economic Espionage. 7/2000 "In a BIND" (Hear it at http://media.defcon.org:554/ramgen/defcon/dc-8/audio/DC-8-MIKE-SCHER-audio.rm) DefCon 8 Talk on the functions of a DNS root service, ICANN, policy, and intellectual property issues as they were coming to a head. 10-11/00 Two lectures at John Marshall Law School on infrastructure security and technical means of protecting information for David Loundy's class, IT 848: Computer Crime, Information Warfare, and Economic Espionage. 6/2001 "Wrong: Everything you think you know about client to LAN VPNs" Chicago Association of Internet Professionals, security SIG Analysis of the cost benefits and risks of client-to-LAN VPN connections, with an emphasis on the risks produced by VPNs of this sort, and the costs of reducing those risks. 03/02 Two lectures at John Marshall Law School on infrastructure security and technical means of protecting information for David Loundy's class, IT 848: Computer Crime, Information Warfare, and Economic Espionage. 05/02 "Tech 102: Information Security Technology as Evidence" The National Cybercrime Conference, JMLS, Chicago Discussion and lecture of technical means of authentication and authorization both as a kind of evidence, and the use of poast-factum authentication technical logs as evidence. For national computer crime conference sponsored by the ABA and JMLS. SYSTEMS AND SECURITY EXPERIENCE *NIX OSes: SunOS, Solaris, IRIX, AIX, HP/UX, BSD/OS, OpenBSD, NetBSD, FreeBSD, Linux (various) Other OSes: Apple MacOS 7.1, 7.5.x, 8.x, 9.x, X MS Windows 95, Windows NT 3 & 4, 2000 Routers and Terminal Servers: Cisco 7xx, 8xx 1x0x, 2xxx, 36xx, 4xxx, 72xx, 6xxx with IOS 10.x, 11.x, and 12.x Livingston/Lucent Portmaster 2x, 3x Telebit NetBlazers running V3.0x KA9Q NOS Misc. low-end routers Ethernet Switches: Cisco Catalyst 19xx, 29xx, 35xx, 55xx, and 6xxx series Cabletron/Enterasys IA 1100 Lucent Cajun 8xx/5xx Extreme Summit 5/7i, Summit 24/48 US Robotics TotalSwitch Kalpana Etherswitch Misc. 3Com switches Misc. low-end switches Security Applications: Corporate extranet design and implementation TIS/NAI Gauntlet, Cisco PIX, Watchguard, Sidewinder, NetScreen, Lucent, Nokia and Check Point firewall products General X11R6.x, CDE and other XWindows-related security improvements TCP/IP security enhancements at OS and architecture levels Client-Server tunneling over TCP/IP with IPv6, IPsec, OpenVPN, and SSH IPF in-kernel packet-filter/firewall software configuration and installation PF in-kernel packet-filter/firewall software configuration and installation IPChains/IPTables in-kernel packet-filters Design and installation of home-grown, dual-homed proxying hosts Network packet filter and firewall design, configuration, and implementation OTP applications extending use of Defender, Cryptocard, Safeword, and generic SNK auth. Double-authentication for multi-channel dialup (e.g., ISDN) using CHAP and ISDN calling-number-ID on Cisco 36xx POLICY, SOCIAL SCIENCE BACKGROUND A.M. Anthropology, Duke, 1993. Concentration in legal anthropology; thesis on dispute resolution. Candidate for Ph.D.., University of Chicago; entered program Sept. 1993, research proposal successfully defended and approved for study, June 1996, subject: Unauthorized access to computers and communications systems in the contemporary U.S. where there is no apparent fiscal motivation. IT policy and best-practice development at Tribune Company. Founder and 1999-present board president ISPFH Co-Op, an Illinois- based not-for-profit cooperative Internet Service Provider. In-house counsel for Chicago-based ISP, 1994-1995; designed contracts, acceptable-use policies, and liability reduction plans. Licensed to practice law in Illinois and New Hampshire. Pro-bono work for 501(c)(3) organizations, nonprofit clubs, and technology cooperatives including ISPs and Makerspaces.