Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
Busted
Tim Mullen, 2004-05-17

The arrest of Sasser's author proves bounties work to catch cyber vandals. Now, if the security industry would just stop egging them on ...

Comments Mode:
Success, or Illusion? 2004-05-17
Matthew Murphy (1 replies)
Success, or Illusion? 2004-05-19
Mene Tekel
Busted yeah...you are 2004-05-17
Anonymous
Busted 2004-05-18
Anonymous (1 replies)
Busted 2004-05-19
Anonymous (2 replies)
Busted 2004-05-20
Anonymous
Busted 2004-05-21
Anonymous
"The bounty program is working." 2004-05-18
Penguinisto
Fahrenheit 911 2004-05-19
Wim Remes
Proof? 2004-05-19
Anonymous
Tim, how exactly does a single nabbed script kiddie translate to "proof bounties work to catch cyber vandals"? By that reasoning: "Aliens haven't sucked my brain out yet, so this proves that my tinfoil hat works." The damage has already been done, and catching Jaschan after the fact does nothing to improve security (unless you consider the infinitesimal improvement of decreasing the number of script kiddies in the world by one).

"...talk of how the program would fail to land "professional" malicious hackers, as they would just be too good to get caught. Well, it wasn't meant for them, either."

Clearly, but *knowing* that professional crackers, terrorists, and so forth are out there (i.e. "the real threat"), why institute a bounty program that is best suited to catch crackers who are the sloppiest, the least skilled at protecting their anonymity, the worst at covering their tracks among them?

Well, some obvious reasons could be that viruses, worms, and spyware are Microsoft's biggest security problems- from "bottom line" and public perception points of view. I don't know if that's really the motivation, but I've yet to hear a better reason. Loss of revenue and loss of trust from the public are issues that any corporation with an instinct of self-preservation considers very seriously.

So,
1) bounty program does nothing to improve security
2) bounty program is likely to be successful in catching crackers who are the most numerous, but the least threatening to security

Yes, that does certainly seem like a PR stunt. I'll change my mind when these guys are being caught *regularly*. Even if that happens, you are still left with no real improvement to security, just a few less of the threats easiest to protect against. If Microsoft wants to throw money at the problem, why not spend it:

1) conducting software audits
2) redesigning existing software securely
3) sponsor FBI's Computer Crime dept or similar law enforcement/national security organizations
4) hiring better programmers
5) invest in more training for programmers

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/242/26255#26255
*YAWN* 2004-05-19
Rip van Winkle
Consequence for a reward system 2004-05-20
Anonymous
Busted 2004-05-21
D3@7i0
Busted 2004-05-23
blacklight
Busted 2004-05-24
Coldman







 

Privacy Statement
Copyright 2009, SecurityFocus