Microsoft offers a bounty to catch MSBlash and SoBig creators. What's the point?
The messenger brings bad news, so you shoot the messenger, right? That's what this seems like. I know it's not an analogy. But the creators of these worms did embarrass Microsoft by exploiting security flaws. And now Microsoft feels that they should be hunted down and punished.
It's so strange that they should announce this bounty. I had been thinking over the past few weeks that Microsoft, if it is really serious about building secure software, should offer a cash award for anyone who reports a security flaw in Microsoft's software. That makes sense. You can hire a few full-time employees to search out and report security flaws. Or, you can offer a cash reward to others who will search out and report the security flaws. Or, you can do both. Microsoft should do both.
I'm concerned about the impact of the proposed bounty. The regular release of malware is the normal state of the Internet. There are bad people out there who want to deliberately cause damage. The fact that those people are out there keeps us vigilant. It's smart to be mistrustful by default on the Internet. If we are able to catch the creators of the most visible malware, then what remains will be more insidious malware, including malware that is more difficult to detect. The threat is no less serious, just not as visible. I prefer the visible malware, because it demands that we take immediate action.
I'm disturbed that so few people take computer security seriously. Of the three POP3 accounts that I have currently with various service providers, all of them require me to send a password in clear text. We know that sending passwords in the clear is bad for security, and we have had alternatives available for many years. So why do these service providers not allow an alternative to sending cleartext passwords? It's because of complacency. When there is an attack that affects the service provider, then they are jolted out of their complacency to take security seriously. That's why we need a highly visible breach in security a few times a year. Without that, we would not make any progress in computer security.
As for Microsoft, trying to punish anyone who would dare to embarrass it is pointless.
Posted by Doug Sauder at November 11, 2003 07:58 AM