Experts, IT managers say Microsoft should forget bounty, focus on security

Patrick Thibodeau and Jaikumar Vijayan   Today’s Top Stories   or  Other Security Stories  

Dynamic Data Center and Virtualization Drives Operational Excellence at Emory Healthcare The Secure Web Gateway. Mission Critical For Business Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management An Overview of PAN Manager by Egenera Maximizing Business Agility with the Dynamic Data Center Fast and Simple Recovery of Your Critical Microsoft® Applications with Symantec Backup Exec" Computerworld Report- Large Enterprises Pay More for IPAM An Apple for Your Enterprise? Six Questions To Ask About Information And Competition Sign up to receive Security Resource Alerts

November 5, 2003 (Computerworld) -- WASHINGTON -- Microsoft Corp.'s $5 million reward fund to catch virus and worm writers drew mixed reactions today from IT security managers and experts, some of whom would rather see the company use the money to improve Windows security than chase bad guys.
Flanked by officials from the FBI, the U.S. Secret Service and Interpol, Brad Smith, Microsoft's general counsel, detailed the program and its two first rewards, which were set at $250,000 each, for the authors of the MSBlast.A worm and the Sobig virus (see story).
The reward money, said Smith, is intended to help authorities "catch, prosecute and convict people who break the law by launching malicious viruses and worms on the Internet."
Law enforcement officials said they welcome Microsoft's help. "Efforts like this, which involve the private sector, are going to be critical to our success," said Peter Townsend, deputy assistant director of investigations at the Secret Service. With most of the nation's critical infrastructure under private-sector control, "this cannot be solved by the private sector alone; it cannot be solved by the government alone."
Connie Sadler, IT security director at Brown University in Providence, R.I., said the money would likely be better spent improving the security of the Windows operating system. "I would rather see Microsoft make a solid investment in prevention and containment" of viruses, said Sadler. Right now, it's up to users to build barriers that limit the damage from a virus or worm, she said.
Brown, for instance, has firewall rules that prevent one dorm from talking to another if a problem occurs, said Sadler. "It would be nice to see some network operating system that would help us do that," she said.
Hugh McArthur, information security officer at Reston, Va.-based Online Resources Corp., an online bill-processing firm, also had doubts about the reward's effectiveness. "At the highest level, it's one way of Microsoft making themselves a little bit better," said McArthur. "But I think it does not address the underlying issue that the vulnerabilities that the worms and viruses attack still exist.
"The resources might be better spent fixing those problems than going after [virus writers]\," he said.
Smith, in response to questions at today's news conference, said the reward isn't a substitute for improving the security of Microsoft's Windows software, but is a sign that the company recognizes that it needs "to move forward on multiple fronts" to address the virus problem.
Some security experts said the reward may help.
Rewards programs have worked successfully for the FBI and other law enforcement agencies and should work well in the digital realm as well, said Patrick Gray, a former FBI agent and head of the emergency response team at Atlanta-based Internet Security Systems Inc.
"It's unfortunate that things have come to this," Gray said. "But it's time to stop focusing only on the buggy software and go after the criminal elements that exploit [it] as well."
Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University in West Lafayette, Ind., said that if virus or worm authors "did it for bragging rights or as a general 'experiment,' then there is a chance that a reward might turn up leads."
But if the viruses are written by professionals -- such as viruses designed to support spam distribution -- then a reward will be less useful, said Spafford. "Identification and prosecution of authors to date has been poor, so this might really help," he added.
Microsoft's move is a "good news, bad news kind of thing," said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. On the positive side, actions such as this will serve as stronger deterrents against malicious hackers and result in more of them being prosecuted, he said. "So it will help scare away some of the 20-year-olds that are writing these sorts of worms and viruses," Pescatore said.
On the other hand, "I hate to see software vendors diverting their management attention and money toward rewards programs, because rewards programs work only after the damage has been done," Pescatore said. "I would rather see them put the same money and attention on making their software safer in the first place," he said.
Additional reward announcements will be made after consulting with law enforcers, said Smith.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"Some Asian airlines are reporting rising losses to inflight credit card fraud because there is typically no online credit-card authorization..." Read more... "In Wednesday's..." Read more... Read more Security posts or See all Blogs

Microsoft dumps OneCare, slates free security software for '09 Google deal produces 91% of Mozilla's revenue Thanks to gamers, the desktop supercomputer arrives More top stories...

Ballmer: Yahoo acquisition won't happen, despite Yang's departure Microsoft feared Mac vs. Vista comparison in '05, insider e-mails show Microsoft Exchange's challenges: Partners, the cloud, and (still) Lotus Notes

2008 Salary Survey: IT pay takes tiny leaps If you're like our 7,000 survey respondents, your paycheck this year has been flattened and your bonus obliterated. We offer 12 ways to plump up your paycheck. Windows 7 in-depth review and video: This time Microsoft gets it right Microsoft's next OS might more accurately be called Windows 6.5: It's essentially a better version of Vista. Twitter for business: 5 ways to tap the power of the tweet Twitter can be a valuable business tool -- if you know what you're doing. Here's how to juice it for all it's worth. Microsoft's 'Vista Capable' changes outraged HP, insider e-mails show By helping Intel with loosened 'Vista Capable' requirements, Microsoft 'severely damaged' its credibility, said an HP exec in a newly unsealed Feb. 2006 e-mail. Windows 7 Get the latest news, reviews and more about Microsoft's newest desktop operating system More Continuing Coverage Windows 7 Voting Technology Google's Chrome browser Economy in turmoil: Latest news and tips iPhone 3G Bill Gates moves on Windows Vista A to Z Mac A to Z 2008 Salary Survey Find wage data for 50 IT job titles. More Special Reports 2008 Premier 100 IT Leaders 2007 Premier 100 IT Leaders 2008 Best Places to Work in IT 2007 Best Places to Work in IT 2008 Salary Survey 2007 Salary Survey 2006 Salary Survey 2008 IT Forecast 2007 IT Forecast 40 Years of Computerworld Top 12 Green-IT Users The FAQs About Going Green IT Schools to Watch iPhone: One Year Later Global Mobile Your Next Data Center Management: Reinventing IT Stop Data Leaks Web 2.0 Security Surviving Disasters Managing Storage Virtualization The Lean Storage Machine Storage on Trial Can Web 2.0 Save BI? Bypass These BI Potholes All Zones Business Continuity Zone The File Data Management Zone Security Management Zone The SAS Zone Business Intelligence and Analytics Zone The Enterprise Search Zone Software as a Service Zone The Security Zone See your link here

Moving to Windows Vista: The Promise, The Reality Moving to Windows Vista: The Promise, The Reality View this exclusive webcast today! Go to the webcast  Computerworld Executive Bulletin: Building a Robust Antivirus Defense Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs. (Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more. Download this executive briefing  Quick Sizing Guide for SAS Grid Running on HP BladeSystems and EVA Storage Download this white paper today! (Source: HP) Designed for CIOs, IT managers, data center managers and grid computing architects seeking to improve performance, SAS Grid Computing on the HP BladeSystem c-Class helps accelerate growth and mitigate risks with a simplified, consolidated infrastructure that's agile enough to efficiently handle change. SAS Grid Manager on HP BladeSystem can lower costs through automation, virtualization and improved IT efficiency. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. Deploying Virtualized NetWare on Linux Whitepaper Collaboration Tools and Organizational Success Driving Business Success Through Workgroup Choice and Flexibility View more whitepapers

• Microsoft dumps OneCare, slates free security software for '09
• Ballmer: Yahoo acquisition won't happen, despite Yang's departure
• Google deal produces 91% of Mozilla's revenue
• More top stories 

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day. New baits

"Turning information into a Competitive Advantage" Companies today are realizing that competitive advantage is harder to sustain when based solely on gains in productivity and cost efficiency. The focus is shifting to invest more in business optimization initiatives which rely on trusted information to develop new insights that deliver better business results. But how can this be done efficiently in a business environment across multiple applications and processes. The answer is an Information Agenda - an innovative approach to transforming business information into a strategic asset for competitive advantage. View this webcast now!  See more Webcasts

Steven J. Vaughan-Nichols: The World without Linux DATELINE: WindowsWorld 2008: Microsoft CEO and President, Steve Ballmer was happy as a clam today when he announced, for the 4th time this century, that Longhorn would be released soon. ...[more]