Experts, IT managers say Microsoft should forget bounty, focus on security
Microsoft has set up a $5M reward fund to catch virus and worm writers
Computerworld - WASHINGTON -- Microsoft Corp.'s $5 million reward fund to catch virus and worm writers drew mixed reactions today from IT security managers and experts, some of whom would rather see the company use the money to improve Windows security than chase bad guys.
Flanked by officials from the FBI, the U.S. Secret Service and Interpol, Brad Smith, Microsoft's general counsel, detailed the program and its two first rewards, which were set at $250,000 each, for the authors of the MSBlast.A worm and the Sobig virus (see story).
The reward money, said Smith, is intended to help authorities "catch, prosecute and convict people who break the law by launching malicious viruses and worms on the Internet."
Law enforcement officials said they welcome Microsoft's help. "Efforts like this, which involve the private sector, are going to be critical to our success," said Peter Townsend, deputy assistant director of investigations at the Secret Service. With most of the nation's critical infrastructure under private-sector control, "this cannot be solved by the private sector alone; it cannot be solved by the government alone."
Connie Sadler, IT security director at Brown University in Providence, R.I., said the money would likely be better spent improving the security of the Windows operating system. "I would rather see Microsoft make a solid investment in prevention and containment" of viruses, said Sadler. Right now, it's up to users to build barriers that limit the damage from a virus or worm, she said.
Brown, for instance, has firewall rules that prevent one dorm from talking to another if a problem occurs, said Sadler. "It would be nice to see some network operating system that would help us do that," she said.
Hugh McArthur, information security officer at Reston, Va.-based Online Resources Corp., an online bill-processing firm, also had doubts about the reward's effectiveness. "At the highest level, it's one way of Microsoft making themselves a little bit better," said McArthur. "But I think it does not address the underlying issue that the vulnerabilities that the worms and viruses attack still exist.
"The resources might be better spent fixing those problems than going after [virus writers]\," he said.
Smith, in response to questions at today's news conference, said the reward isn't a substitute for improving the security of Microsoft's Windows software, but is a sign that the company recognizes that it needs "to move forward on multiple fronts" to address the virus problem.
Some security experts said the reward may help.
Rewards programs have worked successfully for the FBI and other law enforcement agencies and should work well in the digital realm as well, said Patrick Gray, a former FBI agent and head of the emergency response team at Atlanta-based Internet Security Systems Inc.
"It's unfortunate that things have come to this," Gray said. "But it's time to stop focusing only on the buggy software and go after the criminal elements that exploit [it] as well."
Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University in West Lafayette, Ind., said that if virus or worm authors "did it for bragging rights or as a general 'experiment,' then there is a chance that a reward might turn up leads."
But if the viruses are written by professionals -- such as viruses designed to support spam distribution -- then a reward will be less useful, said Spafford. "Identification and prosecution of authors to date has been poor, so this might really help," he added.
Microsoft's move is a "good news, bad news kind of thing," said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. On the positive side, actions such as this will serve as stronger deterrents against malicious hackers and result in more of them being prosecuted, he said. "So it will help scare away some of the 20-year-olds that are writing these sorts of worms and viruses," Pescatore said.
On the other hand, "I hate to see software vendors diverting their management attention and money toward rewards programs, because rewards programs work only after the damage has been done," Pescatore said. "I would rather see them put the same money and attention on making their software safer in the first place," he said.
Additional reward announcements will be made after consulting with law enforcers, said Smith.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts