Microsoft's tax-for-hacks 'horrible' idea, say security experts

Suggestion that Internet users pay tax to fight malware, botnets gets thumbs down

Microsoft 's idea that the fight against malware could be funded by an Internet tax is "horrible," an analyst said Thursday as other experts weighed in on a recent comment by the company's security chief.

Earlier this week, Scott Charney, Microsoft's vice president for its Trustworthy Computing group, said that while there are plenty of ways to combat malware, scrub infected PCs and take down botnets, no one wanted to foot the bill .

"Maybe markets will make it work," Charney said, but then added that an Internet usage tax might be the solution. "You could say it's a public safety issue and do it with general taxation," Charney said.

"The idea of a general Net tax is a horrible idea," said John Pescatore, Gartner's security analyst. "Why not a tax on all retail goods for a standard anti-shoplifting service all merchants would have to use?" A business, he said, can now select what it thinks is the best anti-malware solution, but that choice would presumably vanish if funding for battling the bad guys went national.

"A general tax would reduce the services to the lowest common denominator," he said.

Wolfgang Kandek, chief technology officer with security company Qualys, agreed. "I have a hard time seeing [a tax] work. The Internet is an international body, you can't regulate it and you cannot levy a tax. ISPs might have to up their fees to pay for something like this, I can see that, but a tax that brings government into play, I can't see that."

Others who disagreed with Charney's Net tax argued that Web users would pay, one way or another, tax or no tax, to fight hackers.

"A tax may be a bad idea, but people will pay for it one way or another," said Randy Abrams, director of technical education at ESET Security, ticking off higher ISP fees or if not that, then the lack of any price cuts by ISPs as the inevitable consequences of anti-malware efforts on the part of service providers.

Some security pros questioned not only the concept, but also the mechanics of a taxation-for-mitigation scheme.

"I don't have a problem with charging a fee and giving it to good works for the whole," said Andrew Storms, director of security operations at nCircle Network Security. "The problem is that one, you have to find a big, smart and trustworthy organization to handle this. And most people will agree that's not the government, and that's not Microsoft."

More likely, thought Storms, is that an ISP will take the plunge, charge its users a little extra to keep their machines clean, and prove it's possible. "Then I could see a consortium of ISPs getting together to do that," he said.

But there are other ways to clean up the Internet than to slap a tax on the Web, then use the money to launch search-and-destroy missions like the one Microsoft announced last week when it said it had crippled the Waledac botnet, a claim some researchers disputed .

Kandek's idea was one sure to upset Microsoft's stockholders. "It would be a radical move, but Microsoft could cut the price of a Windows 7 upgrade to $29, the same price that Apple charges for Snow Leopard ," he said. By slashing the price of Windows 7, Microsoft would convince more users, especially those in developing countries where malware is a major problem in part because it's seeded on the pirated copies of Windows people purchase, to upgrade from less secure versions of Windows and keep their PCs patched.

"Giving us an incentive to move to Windows 7 would be a great thing," Kandek said. "It could help a lot."

ESET's Abrams, however, took offense that Charney would suggest a tax when there was so much Microsoft itself could do to make the Internet a safer place. (Abrams wasn't alone...numerous readers of the IDG News Service story that covered Charney's keynote at the RSA Conference this week said much the same thing, although often in more colorful language .)

"Microsoft has allowed a powerful malware-enabling technology to exist that most of the major threats have incorporated," Abrams said, referring to AutoRun, the Microsoft technology that starts some programs automatically when a CD, DVD or other media is inserted. The notorious Conficker worm spread by exploiting AutoRun on flash drives. According to ESET, which is best known for its NOD32 line of antivirus software, almost 30% of in-the-wild malware uses AutoRun as an infection vector.

Although Microsoft made moves last year to restrict AutoRun, first in Windows 7, then in Vista and XP , Abrams argued that because Microsoft didn't mandate the updates for the latter two operating systems, it doesn't have the right to ask for a tax to pay for clean-up. "They shouldn't point to the user when they have four fingers pointing back to themselves," said Abrams.

He was even more blunt in an entry on the ESET company blog later Thursday. "I appreciate the remarkable and laudable security progress Microsoft has made, but before you, Mr. Charney, ask users to swallow a tax or fee for bot clean up, bite the bullet and clean up the AutoRun infection vector," Abrams wrote.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is .

Read more about security in Computerworld's Security Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon