Busting the Worm Writers

Opinion Microsoft deserves praise for offering a cash reward to catch people who criminally exploit their bugs, argues SecurityFocus columnist Tim Mullen.

The Microsoft bounty is almost old news, but I could not let the subject slip by without throwing in my two cents worth.

For the cave dwellers out there, let me summarize: Microsoft, the US Secret Service, the FBI and Interpol announced the creation of a special fund to provide reward money to aid in the conviction of worm writers. Of an initial infusion of five million dollars, $250,000 per worm has been assigned as bounty to whoever finks out the authors of MSBlast and SoBig.

In gauging the immediate rejection of the concept by many, I can't help but think that an Anti-Microsoft-Anything template exists. It is probably structured as follows:

"Microsoft's latest announcement of (insert title here) is nothing but a PR stunt. As illustrated by the (insert name of lame worm executed via outdated e-mail reader, or long-patched vuln here) worm, Microsoft's software is horribly insecure. Everyone should immediately switch to (insert any other OS here) because according to (insert stat's source, probably Netcraft here) there are over (some number) of (confusion of servers vs. sites here) running it, which means it must be secure. Gates should be mandated to pay (me) the sum of (ridiculous amount here) because he's got more money than God anyway, and won't miss it."

It is probably submitted via a web form (running IIS, or course) and posted to an un-patched SQL server using code vulnerable to SQL injection.

There seems to be some confusion about where worms come from. Worms do not come from "bad software." Worms come from criminals authoring illegal code to exploit "bad software." For the first time, a vendor has put up cold hard cash to help combat the top-level source of a problem, and everyone immediately condemns them. Oh yes, I know--"If it were not for the crappy software, then there would be no worms." Well if my aunt had testicles, she'd be my uncle. All software has security problems. And it always will. That is just the reality of it.

Offering a cash reward to capture criminals is a good idea. Does a reward work in every case? Of course not, nothing does. But it is part of an overall strategy-- a strategy in depth. That's what bugs me about the criticism: people take it as a single action, as if it is the only thing Microsoft is doing about security. The truth is that Microsoft really is making great progress in the security of their products, while at the same time trying to make those products "idiot proof" which is indeed a difficult thing to do.

The Drug War Metaphor

In a CNET article, Robert Vamosi equated the worm bounty to the United States' War on Drugs, saying that it has failed "by not focusing on the underlying causes of drug use."

I think this is a shallow view. The underlying cause of drug use is that people want to get high. There is really not a lot we can do about that other than educate each other as to what drug use can do to your life. And though it is not the best way to combat drug abuse, making it a crime to deal drugs certainly helps cut off the supply. People turn in drug dealers all the time for a myriad of reasons, reward money being one of them. To say that arrests won't stop drugs from being sold is a cop-out. While it won't solve the problem in its entirety, it will help.

And while a reward won't stop worms, it just might help. It doesn't really matter if a virus writer thinks the bounty will do any good-- it matters if his friends and associates think it will. A quarter of a million dollars will most certainly test any honor among thieves.

More importantly, there is no downside to it. It is not as if Microsoft is pulling resources out of its security initiative to fund the bounty pool, as much as some would like you to think so.

When I write that users are responsible for their own security, I'm not finger pointing-that's the division of labor most likely to have a positive effect. I expect a vendor to provide me with a reasonable amount of secure-ability in a product, but it is really up to me to make sure that I am doing what I can to obviate security issues. I expect the government and police to provide an infrastructure where one can expect some realistic level of personal security, but I also have to make sure I don't go walking through a high-crime area in shiny-new shoes and a Benji stuck to my forehead.

I probably sound like a broken record when I say that I'm not forgiving Microsoft (or any other vendor) their responsibility to do their job, but I think that for us to totally count on someone else for our security is ultimately foolish. It is easy to place blame for bad things on other people. In reality, no one person is to blame.

Internet security is not a Microsoft problem. It is not a Linux problem. It is a people problem. Rather than making individual criticisms of perceived failure, I think we are better served to work together and celebrate our successes.

Timothy M. Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software. AnchorIS.Com also provides security consulting services for a variety of companies, including Microsoft Corporation.

Copyright © 2003,