Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Busted
Tim Mullen, 2004-05-17

The arrest of Sasser's author proves bounties work to catch cyber vandals. Now, if the security industry would just stop egging them on ...

Comments Mode:
Success, or Illusion? 2004-05-17
Matthew Murphy (1 replies)
While the article makes an excellent point that solving vulnerabilities, etc., was never really the intention of Microsoft's virus writer bounty program, that was never really the claim.

I, like others in this field, believed that Microsoft would use the relatively inexpensive bounty programs as its sole challenge to the ongoing worm/virus battle, instead of, or at the expense of, code security that would help stop not only worms, but other malicious individuals as well.

This point was never really disproven, and although we haven't seen Microsoft treat the virus bounty program as an end-all-be-all cure for the security problem, or even the virus problem, one thing we were afraid of *HAS* happened. Security experts are declaring victory over malware.

For one, I think it is entirely too soon to realistically assess the bounty program. The bounty program has yet to catch the authors of Blaster, Nachi, etc., so declaring that one victory means the program is "working" is in my opinion, exactly, the mindset that we tried to avoid.

You see, the very idea of a bounty program is a technically flawed way of preventing virus outbreaks. As we continue to see arrests, the problem with that is, we continue to see outbreaks to lead to those arrests. Yeah, that same kid might go on to write a Netsky, or even a Klez, but it's ridiculous to say that because we arrested one author, the program has worked well. The fact is, we are still seeing outbreaks.

At the rate of success of the bounty program, we aren't seeing much improvement. David Smith was arrested for authoring the fairly damaging 'Melissa' worm without any bounty.

This point stands particularly strong as I didn't see any citation to back the claim in Mr. Mullen's article that those who turned in Sasser's author turned him in for money. I tell you one thing: if I ever meet face-to-face with one such kid, I'd turn him in to keep my own reputation out of the mud. Plain and simple.

Food for thought,
Matthew Murphy
mattmurphy@kc.rr.com

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/242/26209#26209
Success, or Illusion? 2004-05-19
Mene Tekel
Busted yeah...you are 2004-05-17
Anonymous
Busted 2004-05-18
Anonymous (1 replies)
Busted 2004-05-19
Anonymous (2 replies)
Busted 2004-05-20
Anonymous
Busted 2004-05-21
Anonymous
"The bounty program is working." 2004-05-18
Penguinisto
Fahrenheit 911 2004-05-19
Wim Remes
Proof? 2004-05-19
Anonymous
*YAWN* 2004-05-19
Rip van Winkle
Consequence for a reward system 2004-05-20
Anonymous
Busted 2004-05-21
D3@7i0
Busted 2004-05-23
blacklight
Busted 2004-05-24
Coldman







 

Privacy Statement
Copyright 2009, SecurityFocus