Will Microsoft's 'Hang 'em High' Plan Work?
The security community is reacting with both incredulity and excitement to the news that Microsoft is putting a quarter-of-a-million-dollar bounty on the heads of the virus writers behind the highly destructive Blaster and Sobig worms.
Microsoft Corp. announced yesterday that it is offering up separate $250,000 rewards for information leading to the arrest and conviction of the Blaster and Sobig authors. The rewards are part of the $5 million fund that Microsoft set aside to battle malicious code and the hackers and spammers behind it.
The software giant is working alongside the FBI, the United States Secret Service and Interpol in its anti-virus efforts.
''This has really become the wild, wild West,'' says Ken Dunham, director of malicious code at security company iDefense, Inc. based in Reston, Va. ''You put a big enough bounty out and sooner or later you'll hang somebody. A hundred years from now, people will be watching old movies about Microsoft, and a big bounty and all the hacker hangings.''
But Steve Sundermeier, a vice president with anti-virus company Central Command, Inc., based in Medina, Ohio., says Microsoft needs to be held more accountable for its own actions.
''It's kind of a public admission that there's a problem that needs to be addressed with the Microsoft software itself,'' says Sundermeier, who notes that Microsoft also may be reacting to the heat its feeling from competitor Linux. ''With a bounty, they're trying scare tactics instead of addressing vulnerabilities that exist in their own software.''
But while Sundermeier says Microsoft should be investing more in debugging Windows, he does say that the bounty just may bring some informants out of the weeds.
''Money always talks,'' he adds. ''The odds of somebody talking when there's a quarter of a million dollars on the line is much greater.''
Patrick Gray, a 20-year veteran of the FBI and currently a director at Internet Security Systems', a security company based in Atlanta, Ga., says experience in law enforcement proves that money definitely talks.
''I think it's cool. It's a marvelous idea,'' says Gray. ''Remember that there is no honor among thieves. And $250,000 to a guy sitting in his bedroom is a lot of money... We've been doing this for a hundred years in the physical sector -- all the way back to Billy the Kid. There's no reason it shouldn't work here.''
And Gray says the bounty just might work because virus writers like to brag. They write a virus and then watch it wreak havoc in the wild. But where's the fun if no one knows they were behind it? They head to a hacker chat room or IM their friends... and they brag.
''I worked the Mafia Boy investigation -- the guy who took down eBay and CNN,'' says Gray. ''He was all over the chat rooms. We caught him within seven or eight days of his last hit on CNN because he was out there talking about it.''
Microsoft and the Feds obviously are hoping this move extends beyond convicting the people behind Sobig and Blaster. They are hoping this will be a deterrent to future virus writers. But iDefense's Dunham says it won't be a deterrent if people are simply ratted on. People need to go to jail before it will have a real effect on the hacker community.
''People will pay attention if they start to get these guys and they're strung up,'' says Dunham. ''If they don't hang anyone, it won't be anything more than a marketing ploy... It's a complicated puzzle leading to an arrest. It's going to be very difficult actually putting someone away.''