Establishing Digital Trust: Don't Sacrifice Security for Convenience
Microsoft Corp. announced yesterday that it is offering up separate $250,000 rewards forinformation leading to the arrest and conviction of the Blaster and Sobig authors. Therewards are part of the $5 million fund that Microsoft set aside to battle malicious codeand the hackers and spammers behind it.
The software giant is working alongside the FBI, the United States Secret Service andInterpol in its anti-virus efforts.
''This has really become the wild, wild West,'' says Ken Dunham, director of malicious codeat security company iDefense, Inc. based in Reston, Va. ''You put a big enough bounty outand sooner or later you'll hang somebody. A hundred years from now, people will be watchingold movies about Microsoft, and a big bounty and all the hacker hangings.''https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Dunham says Microsoft's high-profile, high-priced effort is an announcement that the companyis taking viruses seriously and that people will be held accountable for their actions.
But Steve Sundermeier, a vice president with anti-virus company Central Command, Inc., basedin Medina, Ohio., says Microsoft needs to be held more accountable for its own actions.
''It's kind of a public admission that there's a problem that needs to be addressed with theMicrosoft software itself,'' says Sundermeier, who notes that Microsoft also may be reactingto the heat its feeling from competitor Linux. ''With a bounty, they're trying scare tacticsinstead of addressing vulnerabilities that exist in their own software.''
But while Sundermeier says Microsoft should be investing more in debugging Windows, he doessay that the bounty just may bring some informants out of the weeds.
''Money always talks,'' he adds. ''The odds of somebody talking when there's a quarter of amillion dollars on the line is much greater.''
Patrick Gray, a 20-year veteran of the FBI and currently a director at Internet SecuritySystems', a security company based in Atlanta, Ga., says experience in law enforcementproves that money definitely talks.
''I think it's cool. It's a marvelous idea,'' says Gray. ''Remember that there is no honoramong thieves. And $250,000 to a guy sitting in his bedroom is a lot of money... We've beendoing this for a hundred years in the physical sector -- all the way back to Billy the Kid.There's no reason it shouldn't work here.''
And Gray says the bounty just might work because virus writers like to brag. They write avirus and then watch it wreak havoc in the wild. But where's the fun if no one knows theywere behind it? They head to a hacker chat room or IM their friends... and they brag.
''I worked the Mafia Boy investigation -- the guy who took down eBay and CNN,'' says Gray.''He was all over the chat rooms. We caught him within seven or eight days of his last hiton CNN because he was out there talking about it.''
Microsoft and the Feds obviously are hoping this move extends beyond convicting the peoplebehind Sobig and Blaster. They are hoping this will be a deterrent to future virus writers.But iDefense's Dunham says it won't be a deterrent if people are simply ratted on. Peopleneed to go to jail before it will have a real effect on the hacker community.
''People will pay attention if they start to get these guys and they're strung up,'' saysDunham. ''If they don't hang anyone, it won't be anything more than a marketing ploy... It'sa complicated puzzle leading to an arrest. It's going to be very difficult actually puttingsomeone away.''