I think the reason this move is condemned is because it's a bad approach, and a poor solution, to the problem.

Paying people to catch worm authors isn't going to make the problem go away. Worms are not created because of bad software, but they are made possible by bad software.

If you buy a house knowing that the door locks are weak and not particularly well-suited to keeping out intruders, would you be surprised when you get robbed?

Yes, these people are criminals. Yes, they're doing criminal deeds. But creating an incentive to catch them after the damage has been done is purely reactive, and as such, largely ineffective. I don't believe it's going to be at all effective as a deterrent. There are far too many crackers out there doing the same criminal deeds and getting away with it constantly. (IMHO, the Blaster kid was a scapegoat for a more skilled evildoer.) A much better solution is a preventative one- design software securely so that it is effective at resisting intrusion.

Perhaps, after that's been accomplished, Microsoft's worm-author bounty would be more well received and sensible. But right now this sounds like Microsoft is trying to avoid the preventative albeit difficult solution in favor of the throwing money at the problem. People have a lot of reasons to think that their security initiatives aren't sincere or effective, and very few reasons to think the opposite.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/199/23899#23899