Feeds

Busting the Worm Writers

People problem

  • alert
  • submit to reddit

Intelligent flash storage arrays

Opinion Microsoft deserves praise for offering a cash reward to catch people who criminally exploit their bugs, argues SecurityFocus columnist Tim Mullen.

The Microsoft bounty is almost old news, but I could not let the subject slip by without throwing in my two cents worth.

For the cave dwellers out there, let me summarize: Microsoft, the US Secret Service, the FBI and Interpol announced the creation of a special fund to provide reward money to aid in the conviction of worm writers. Of an initial infusion of five million dollars, $250,000 per worm has been assigned as bounty to whoever finks out the authors of MSBlast and SoBig.

In gauging the immediate rejection of the concept by many, I can't help but think that an Anti-Microsoft-Anything template exists. It is probably structured as follows:

"Microsoft's latest announcement of (insert title here) is nothing but a PR stunt. As illustrated by the (insert name of lame worm executed via outdated e-mail reader, or long-patched vuln here) worm, Microsoft's software is horribly insecure. Everyone should immediately switch to (insert any other OS here) because according to (insert stat's source, probably Netcraft here) there are over (some number) of (confusion of servers vs. sites here) running it, which means it must be secure. Gates should be mandated to pay (me) the sum of (ridiculous amount here) because he's got more money than God anyway, and won't miss it."

It is probably submitted via a web form (running IIS, or course) and posted to an un-patched SQL server using code vulnerable to SQL injection.

There seems to be some confusion about where worms come from. Worms do not come from "bad software." Worms come from criminals authoring illegal code to exploit "bad software." For the first time, a vendor has put up cold hard cash to help combat the top-level source of a problem, and everyone immediately condemns them. Oh yes, I know--"If it were not for the crappy software, then there would be no worms." Well if my aunt had testicles, she'd be my uncle. All software has security problems. And it always will. That is just the reality of it.

Offering a cash reward to capture criminals is a good idea. Does a reward work in every case? Of course not, nothing does. But it is part of an overall strategy-- a strategy in depth. That's what bugs me about the criticism: people take it as a single action, as if it is the only thing Microsoft is doing about security. The truth is that Microsoft really is making great progress in the security of their products, while at the same time trying to make those products "idiot proof" which is indeed a difficult thing to do.

The Drug War Metaphor

In a CNET article, Robert Vamosi equated the worm bounty to the United States' War on Drugs, saying that it has failed "by not focusing on the underlying causes of drug use."

I think this is a shallow view. The underlying cause of drug use is that people want to get high. There is really not a lot we can do about that other than educate each other as to what drug use can do to your life. And though it is not the best way to combat drug abuse, making it a crime to deal drugs certainly helps cut off the supply. People turn in drug dealers all the time for a myriad of reasons, reward money being one of them. To say that arrests won't stop drugs from being sold is a cop-out. While it won't solve the problem in its entirety, it will help.

And while a reward won't stop worms, it just might help. It doesn't really matter if a virus writer thinks the bounty will do any good-- it matters if his friends and associates think it will. A quarter of a million dollars will most certainly test any honor among thieves.

More importantly, there is no downside to it. It is not as if Microsoft is pulling resources out of its security initiative to fund the bounty pool, as much as some would like you to think so.

When I write that users are responsible for their own security, I'm not finger pointing-that's the division of labor most likely to have a positive effect. I expect a vendor to provide me with a reasonable amount of secure-ability in a product, but it is really up to me to make sure that I am doing what I can to obviate security issues. I expect the government and police to provide an infrastructure where one can expect some realistic level of personal security, but I also have to make sure I don't go walking through a high-crime area in shiny-new shoes and a Benji stuck to my forehead.

I probably sound like a broken record when I say that I'm not forgiving Microsoft (or any other vendor) their responsibility to do their job, but I think that for us to totally count on someone else for our security is ultimately foolish. It is easy to place blame for bad things on other people. In reality, no one person is to blame.

Internet security is not a Microsoft problem. It is not a Linux problem. It is a people problem. Rather than making individual criticisms of perceived failure, I think we are better served to work together and celebrate our successes.

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Copyright © 2003,

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.