Microsoft Offers A Bounty On Virus Writers

Iphtashu Fitz writes "According to news.com Microsoft will announce a bounty of $250,000 on Wednesday for information on who wrote two recent Windows viruses. The bounty is offered for information that leads to the arrest of the people who released the MSBlast worm and the SoBig virus. Microsoft will officially announce the reward in a joint press conference with the FBI and U.S. Secret Service Wednesday morning. This is the first time a company has offered money for information about the identity of the cybercriminals. Could this be the start of a new trend in going after the writers of viruses & worms?"

Not always so catchable...

[the uNF cola]

It's not that hard to deploy a virus and not get caught. There are so many open access points and people who forget to log off of an email account after leaving.. how would you track it?

I love Microsoft's Logic!

[Mastadex]

If you cant fix the bug, just get rid of the bug writers, so that you dont have fix anything! HA!

worms = good

[alan_d_post]

The not-very-malicious worms that we've seen exploiting e.g. the NT RPC vuln are good things, IMO. They encourage admins to patch their systems, giving black hats less opportunity to do real damage.

Interesting..

[zyridium]

I mean you would expect the l33t hackers that wrote the worms to tell a few close contacts...

I suppose we just have to ask the question, in the l33t hacker circles, is money or loyalty worth more?

Re:Didn't...

[Dot.Com.CEO]

Beg your pardon there, mate, but I don't think virus writers are "the crew" in slashdot. While you may feel some misguided sympathy toward the scum who wilfully destroy computers because said computers run an OS you don't like, it doesn't mean they are what makes slashdot well, slashdot. Then again, most people in here who think of people who write open source software as "one of us" have never writen one line of code, so I guess your comment is fair.

Cyber Bounty Hunters

[Anonymous Coward]

So there will be cyber-bounty hunters..even less scrupulous than cyber-invsetigators and all too eager to claim their prizes. It's pretty easy to frame someone in cyberspace. And if you point the finger at some teenager who happens to have been posting on a 'hacker' website, after planting some code on his machine, people would be all to happy to believe you...Before there was no incentive to do this... but 250,000 dollars...

Re:Here's an idea..

[svvampy]

Theres only so much money they can throw at a problem.

Well, there logic is (half) right...

[WIAKywbfatw]

Well, ask any doctor and he'll tell you it's better to cure a disease than to treat its symptoms. No virus writers means no viruses, which means no headline news virus alerts and scares.

Of course, the question is how much of the "disease" is the virus writers and how much is Microsoft itself with its sloppy approach to secure computing?

Re:I love Microsoft's Logic!

[weileong]

what are the realistic chances of a payout? Beyond finding the person, it's also another question finding enough evidence to put that person away. The realistic odds of MS ever having to pay out the $$, how high is that?

Actually wont' all this do is that, in the future, the virus writing will be done by the "professional" types who are going to be more careful about covering their tracks (launch only from internet cafes, zombiefied machines? with a long enough chain-of-zombies even assessing the traffic logs is going to come up with inconclusive info?) as opposed to newbie-types? will that ramp up the lethality of the virii?

Re:Quite

[the uNF cola]

Even if they do that, they don't scare the people who just a little sneakier than most. And scare tactics doesn't always work. Look at Kazaa. 400+ examples made, and it's still strong.

Oddly enough, disobedience is not an easy thing to squash. :)

Re:I heard they needed skilled people

[studpuppy]

So.. like, is the 250K a signing bonus? Or do they get it in stock options? Of course, the real question is... is it cheaper for MS to pay 250K to jail each person that writes a virus exploiting on of their security holes than it is to pay the developers to avoid creating them in the first place?

Re:I love Microsoft's Logic!

[witcomb]

I think you mean the bug exploiters

Re:worms = good

[Pike65]

Well you clearly didn't get a temp job on a helpdesk a week before the shit hit the fan.

I did >: (

Besides, in business where the sysadmin wasn't a total retard (read: not where I was) there was no way for the worm to get in. The people who needed to patch their systems were the home users who got shafted for not using firewalls. The same people who use Windows because it's not meant to need much setting up . . .

Re:Not always so catchable...

[wizrd_nml]

1) Not getting caught is easy assuming whoever wrote the virus expected such a wide response and therefore took precautions to guard his identity. If he didn't and started bragging to all his friends, who then told their friends...

2) I wonder if Microsoft are expecting this move to deter people from writing viruses. Maybe someone thought: that virus cost us a lot more than 1/4 million, let's spend that money and set an example even if the guy doesn't get caught.

3) This is going to spark a new underground industry: write a virus secretly, then turn around and tell microsoft you have info about it (of course in an imaginative enough way not to get caught but still get the bounty).

Isn't this like..

[wfberg]

Isn't this like the manufacturers of cars that don't have seatbelts putting a bounty on the heads of drunk drivers who crash into their unsafe cars, say, killing families of four in the process?

Yeah, it's all the DUI guy's fault, no product-liability here! In fact, we're really swell guys, closing the barn door after the horse got out and all..

It's a great PR move for people who don't have a sense of irony, which fortunately includes the majority of Americans, and Alanis Morissette.

People need to be better informed

[linuxci]

The problem is not many people look further than Microsoft products because they know no better, and the mainstream press doesn't do much to help this. Microsoft throwning money into the pot to catch criminals is unlikely to solve the problem, in the UK there's a lot of schemes that offer rewards for finding criminals, but although they often catch people, it doesn't seem to deter people. I mean we can't tell people in the UK that they can install new Windows and doors in their house and not bother to lock them, and installing an MS OS (and to be fair many Linux distributions) without doing a 'lock down' is just as stupid, but most people don't know how to go about securing their PC.

We know that other products aren't perfect but variety in software does do something to reduce the dramatic effect of these worms.

So the more people we can educate about alternatives to Microsoft products such as Mozilla Firebird, Thunderbird and Seamonkey (the app suite) will help to restore some balance and will hopefully reduce the number of email viruses. Commercial alternatives such as Opera should also be mentioned because although I think the interface is awful, other people like it and choice is good. Many home users just use thier computers for web browsing and simple documents, so Mozilla + OpenOffice would do all they need.

Then on the desktop you have various options as well as Windows, although unfortunately for most people they may be depending on it for certain applications. MacOS X is ok, but would require buying new hardware if you currently have an ix86 PC.

Poor victimised Microsoft

[amorsen]

People have been starting to see Microsoft as a vendor of poorly-written, insecure software. What this offer makes people see is that Microsoft is just the victim of evil criminals. And you can never blame the victim for the crime...

Spammers

[tehanu]

Given that the Sorbig virus has been linked to spammers, finding the person who wrote the virus might be a blow against spammers as well. Any trial will be well publicised and having the public connection of spammers==virus writers==evil hackers (yes I know the proper term is crackers, but this is public opinion I'm talking about here)==terrorists could be a big blow against the reputation of spamming so that it is no longer seen as just an annoyance but something potentially dangerous. This probably won't bother the spammers so much but it might help get legitimate companies who hire them give the whole email marketing process a second thought, especially if any connections come up during a trial. "Trial: Virus used to advertise for Company X." "Virus writers hack computers to advertise for X" does not sound good for Company X on the front page. At the very least it might make them more careful about who they hire and who the people they hire outsource to (as I'm sure there will be so much outsourcing something known as "plausible deniablity" will be used).

And a connection in the public consciousness between spammers and hackers who write viruses might give a bit of impetus to the government for harsher anti-spam laws. I mean look at anti-hacking laws vs anti-spam laws. Which one has more teeth and are tougher?

Re:Not always so catchable...

[tanveer1979]

Hmm not really. Given enough resources and motivation, it is not that daunting a task. With internet being taken into control everywhere and watchdogs sitting, it may not be that difficult.

Ever read the book, "The Silicon Samurai", the cracker in that book was very clever, a master of the art. Still he got caught. Why? Because crackers, virus writers, DDoS organisers have one thing in common. They want fame. They cant sit without leaving clues. History teaches us that the greatest thieves and criminal got caught due to their hunger for fame. This will happen here also. Though i am not to sure if that is a very good thing, coz when such showdowns happen a lot of innocent people suffer.

New senario ...

[Zemran]

In a country such as Laos, people earn about $75 a month... or $900 a year... if they work from 15 until 65 they will earn $45,000 in their life forgetting the fact that they are extremely unlikely to have work all the time.

So it now becomes a career move to write a virus, get your own brother (or someone you trust) to hand you in and collect the money. You do your time in relative comfort and your whole family is rich (comparatively)...

No, worms = bad

[Moraelin]

This idea is about as retarded as saying that:

- throwing stones through people's windows is good. It encourages them to buy bullet-proof glasses before a real thief breaks through that window.

- lockpicking into someone's house and spray-painting their walls is good. It encourages them to buy better locks, giving a real thief less opportunity to steal stuff.

- poisoning the neighbour's dog is good. It encourages him to get a dog which won't wag its tail when a (potential) thief throws him a piece of meat.

- keying random people's cars is good. It encourages them to park those cars in proper park houses, where presumably a real thief would have a harder time getting away with their car.

And so on, and so forth. I'm sure you get the idea by now.

Basically, no, there is no proper excuse for vandalism. Neither in the proper world, nor in the IT world. And just as any judge would probably just have a laugh if someone pulled the retarded excuse "but the lock wasn't 100% secure, so it's not my fault" in a break-and-enter trial, the same should apply to breaking-and-entering someone's computer.

And if you do go around keying cars or flooding the net with RPC exploit packets, no matter how well intentioned you are, I do hope they throw you in a nice jail cell, with two convicted anal rapists as cell-mates. Yes, that same heartfelt wish goes to whoever thought that an RPC patching worm is a good idea.

Clever

[0xdeadbeef]

By offering a bounty on their heads, they only serve to increase the status of worm and virus authors. What was once the loserdom of the script kiddie community is now glamorous.

Now consider what this means to their "secure computing" initiative, how the frustrations from dealing with this shit can make people more accepting of their draconian security measures. Consider the financial benefits of "digital rights management" that they can only realize after the hardware and software is locked down.

You can imagine the conversation that lead to this, like something out of "24" or the Bush administration: Lets allow, no, lets *encourage* a virus 911 so they'll let us lead them to safety!

Re:Well, there logic is (half) right...

[ajr_trm]

Well, ask any doctor and he'll tell you it's better to cure a disease than to treat its symptoms. No virus writers means no viruses, which means no headline news virus alerts and scares.

The same doctor will tell you that elimination of all dangerous viruses and bacteria from our environment is impossible.
The best way to fight the diseases is to make our constitution stronger.

The same with software.

Smoke and Mirrors - Windows not ready for Internet

[Anonymous Coward]

If that were even remotely true then Apache would be swimming in remote exploits, which it is not. Not only that, Microsoft's products just aren't designed for security [infoworld.com], even by the admission of their own executives. In fact, Windows is insecure by design [washingtonpost.com]. Microsoft has worked hard to earn the shoddy reputation it has among technology experts and is focusing all the more on marketing efforts. But face it, Windows is not ready for the Internet and is not likely to be. Even Joe Sixpack is starting to figure that out.

This bounty is just a PR game to distract from anti-trust, patent violations, anti-competitive fines, security fines. Microsoft's executives and other investors have had enough time now to dump their stock. Game over.

Re:Here's an idea..

[Anonymous Coward]

Personally (no evidence), I think there are two kinds of virus writers. Those that do it for thrills and those that do it for profit. The people who do it for thrills I suspect are mostly teenage boys. I've known a few who were stupid enough to mess with viruses. Luckily they weren't stupid enough to let them escape or release them.

The new trend of spammers writing viruses to make zombie machines is different. I suspect the people behind it are much older, although they may have hired someone of any age to write the code.

We Need to Stop Equating All Conspiracy Theories

[FreeUser]

Mind you, some conspiracy theorists also claim that the world is ruled by alien lizards, so I think it's fair to take what they say with a pinch of salt.

Yes, but they aren't the same conspiracy theorists. :-)

On a serious note, folks on slashdot (and indeed, people in general) tend to equate all types of conspiracies (and conspiracy theories) and lump them together...somehow equating Enron with the X-Files, at least until Enron is exposed publicly (then, for some reason, people are able to grasp the difference). This is a real problem, because it means that people will live in denial of real-world conspiracies that are taking place (e.g. Monsanto's conspiracy to dump toxic waste into the rural groundwater of the deep American south in the 1990s, or the current SCO conspiracy to defraud their investors and steal the copyright of thousands of software developers around the world) by dismissing them in their minds as no more likely than alien invasion, UFOs in storage at area 51, or silent black helicopters hovering overhead.

We do know conspiracies exist, therefor, it logically follows that some conspiracy theories are likely to be not out in left field, but rather quite correct.

We know as a matter of historical record that the Nazis conspired to stage a "terrorist" act against the Reichstag as a prelude to a coup d'tate, however, listening to the "conspiracy theorists" of the time would have been like listening to a conspiracy theorist today claiming that 9/11 was staged by Baby Bush (it obviously wasn't ... but it has certainly been exploited in analogous ways by the FBI and the secret service to grab unprecidented power in the United States).

Microsoft has a history of conspiring to do dishonest and disingenuous things that directly (and illegally) harm and coerce their customers and their competitors, indeed, they have been convicted of doing so on numerous occasions (the DOJ anti-trust trial and subsequent sell-out being only the latest example). A conspiracy theorist pointing out a economic or tactical political advantage Microsoft might gain through ill-behavior toward its customers is not out in left field ... their theory, while quite possibly false, is certainly worthy of consideration, particularly given the amount of historical fact that illuminates similiar behavior by Microsoft in the past.

So IMHO it is a mistake (and disingenuous) to equate actions by Microsoft and the copyright cartels that directly threaten our digital freedoms, and the conspiracies that do in fact drive these agendas (even if said conspiracies have the most banal of motivations: greed for cold, hard cash), with tin-foil hats, ghosts, and UFO sightings, as is so often done by the apologists of such groups.

Expressing concern about corporate or government malfeasance (conspired or not) isn't even remotely analogous to X-Files-like nonsense, and it is time we stopped allowing sceptics to use dishonest means (equating suspicion of the Reichstag burning ^H^H^H Microsoft's exploitation of their woeful security record to political advantage, with suspicion of Alien Lizard ruling the earth) to denigrate those who do express such concerns.

Re:No, worms = bad

[Moraelin]

I'll appreciate someone trying to crack _my_ code, and in fact at the previous workplace we actually had someone trying to do just that.

System admins are a different issue. I'm sure many of you appreciate the job security, but I'm not sure that your _employer_ appreciates having to spend the extra money. All this worm frenzy _is_ costing the economy real money. Including the money to hire a good helping of extra network admins.

I do not, however, appreciate someone unilaterally deciding for millions of people that everyone must dedicate time and money into securing their systems. If you really think that putting the millions of average Tom, Dick and Harry through all this nightmare is just a small price to pay in the anti-Microsoft crusade, then you have a reality check problem.

The thing is, from the point of view of how the rest of the world works, this is the most absurd and idiotic system possible. In the rest of the world model, Tom, Dick and Harry already _know_ that the lock on their front door _can_ be picked. They _know_ that if someone really wanted to steal their car, that's very much possible too. Etc.

But they also know that if someone actually does, the law will sooner or later catch the thief and throw them into jail. And they know that if someone broke at night into the company and had a look at the paper based financial records, they wouldn't have "but I just wanted to help them secure their system" as an excuse.

The real world does not work by the idea that "lock vendors must produce a 100% non-lockpickable lock". It works more by the idea that the lock is a token. It helps if it can keep away the non-determined nosy neighbour or their cat, or maybe a drunk teenager, but it is _not_ supposed to be a 100% secure anti-theft device. It's main value is as a marker which says, "if we catch you beyond this line, we'll throw your criminal ass into jail." That's their real value, and that's the real deterrent.

Just in case you were wondering why regular people can't comprehend the idea of needing to check the Microsoft update page every few minutes, and configuring sophisticated firewalls: it's because their normal lives happen in this completely other security model. The model where your main defense is the law, not having to have a 100% unbreakable titanium bunker door and a 100% non-pickable lock.

So when they go on the Internet, they assume the same implied protection and deterrent. Not that they enter a "Wild West" kind of world, where if someone can lockpick your door and shoot your dog, then it's fair game. And hey, now that someone's so k3wl and l33t, because they had downloaded a "lockpick door and shoot dog" script.

And maybe it's about damn time that it actually started to work like in the real world.

Causing millions of people millions of hours worth of unneeded trouble, is _not_ some cool way of promoting security. It's just the IT version of vandals throwing stones through home windows. Only now they can throw millions of stones per second. (See the packet storms caused by RPC worms.)

And maybe it's about damn time someone figured out a way of putting those vandals behind bars. Just so the rest of the world can spend their time and money in a better way than constantly patching, and constantly upgrading firewalls.

I'm looking for a virus writer...

[clickety6]

...who is willing to spend a few years out of circulation for $125,000...!

Contact me on 555-EASYCASH.

Re:Why People Bash Microsoft

[TopShelf]

That is one the silliest things I've read in a looooong time.

1) Freedom of the press is only truly open to those who can afford to publish? Uh, hello, communication channels are more wide open today then they have ever been, thanks to blogs, email, newsgroups, P2P, desktop publishing, etc. Of course big corporations have more options available to them, but that is (and has always been) the case just about everywhere in the world.

2) "What will hopefully emerge from this process is a totally new form of government, a meritocracy. In my opinion, music will be the greatest power." Have you taken your meds today, or are we looking at 50 Cent as the new Director of Homeland Security?

3) "the company with the greatest financial clout in the world right now is Microsoft." A software company [yahoo.com], no matter how large, hardly wields "financial clout" like a GE [yahoo.com], which spans the globe and gobbles up companies in a variety of industries by the handful, or a huge bank like Citigroup [yahoo.com], which brokers deals and provides the financing that makes business projects possible. Microsoft is a giant in the software business, but in terms of the overall business picture, they aren't the biggest kid on the block by far.

4) Gates can direct the "full power of the press" to back candidates of his choosing? While Microsoft has a partnership with NBC, I doubt that he spends his time telling Katie & Matt which candidates to pump up.

5) "If my thesis is right, and this is a plutocratic system, then Gates is nominally the king, with no hereditary right of succession as such, unless he can prolong his wealth into the next generation. Well, your "thesis" is dead wrong from the start, and is certainly finished off by the fact that Gates plans to give all his fortune away [guardian.co.uk].

There are plenty of reasons to bash or admire Microsoft, but paranoid fantasies are another thing entirely...

Re:Brilliant move

[lone_marauder]

To some degree a virus wrecking havoc amongst computer using their software can be seen like if somebody was vandalizing your property.

Oops! Be careful with that. Compare the MS business process with real life, and you might raise the specter of product liability.

Anal fantatsis again!

[DataCannibal]

(sigh) Here we go again. You weenies really seem to get a hard on about anal rape. Everytime someone mentions crime and/or punishment someone's sure to make some remark like the crap above.

Is it because your not getting enough yourself?

Re:I heard they needed skilled people

[Daniel Dvorkin]

You know damn well that if Linux enjoyed the sort of desktop ubiquity that M$ has right now, we'd all be bitching about the latest exploit/virus/worm and complaining about how it takes so long to get them patched and why in $#%^&$%@#&* couldn't it have been written correctly in the first place!

Right. Which is why I'm bitching all the time about hbow insecure Apache is, and how long it takes to get it patched, and why the $#%^&$%@#&* it couldn't have been written right in the first place ...

... oh, wait a minute, I'm not.

Who caused the damage?

[nolife]

Is the writer the responsible party or is the person who deploys the virus?

What if I make a spreading virus that works with a known flaw in a MS product. I post this virus and code to say Bugtraq, IRC, or here on /. How can I be prosecuted? I wrote some code but did not use it or set it free on a network. You could take this to extremes on either side. What if I give code examples? What if I only documented HOW to write code to exploit an existing hole? What if I only describe the hole? I can make a machine gun and provide you with plans for a machine gun but unless I use it to kill people, I did nothing wrong. Seems to me that the prosecutors and MS are trying to hang someone as an example but that is a very fine line. Is there a law that clearly states that you can not knowingly write code that may cause millions of computers to crash? I know this is a touchy subject but I view this software as free speech.

Re:I heard they needed skilled people

[DNS-and-BIND]

Bullshit. That's like saying, "bridge collapses happen." The collapse-free bridge is here, and it's here to stay. Why? Because there are engineering standards that ensure safety. Software engineering is alone in tolerating, nay, encouraging defective products to exist. The "sufficiently large" argument is bullshit as well. I can name any number of staggeringly huge engineering projects, all of which were completed successfully and still stand safely today. And Microsoft can't even write a program to send email without massive defects? Get real.

Re:I heard they needed skilled people

[BlewScreen]

well...

from this report [cornell.edu]:

To give an idea of the scope of the deterioration problem, 150 bridges collapse each year in the US

Yeah, that was 1996, but there were "engineering standards" back then...

As far as I can tell, there's nothing that is Perfect... It doesn't matter how many standards you have in place, humans introduce a certain amount of imperfection into whatever they muck with.

Also, consider that (to the best of my knowledge) no one is out trying to cause bridges to collapse. Now Windoze, on the other hand...

Sure, MS shares some of the blame here - they didn't produce a "safe" product because of market demand etc. But SO WHAT? If I went around cutting the brake lines on all the cars in supermarket parking lots, would you really blame the car manufacturers for not "securing" their products?

My point is that there is going to be a way to break something, regardless of how hard you try to secure it. I'm not saying MS necessarily tried hard enough, but you're arguing that they should have created a perfect product and that's simply not possible.

Re:Here's an idea..

[mr_z_beeblebrox]

And if they don't catch one, the publicity is free.

That, in a nutshell, is wit.

Re:I heard they needed skilled people

[WhiteWolf666]

Perhaps I'm barking up the wrong tree...But....

Its not JUST that MS makes the default user---

It is also that Windows runs a ton of stupid, random crap in kernel space.

Like Windows Media Player. Like Internet Explorer. Like Outlook. Like a ton of office stuff.

None of that belongs in kernel space.

Re:Not always so catchable...

[f00Dave]

Your analogy is flawed, since these particular virus/worm writers aren't doing it to "leave a mark on the world", they aren't gloating about what they've done ... they're *using* those infections as part of their *business*. Witness the latest worm's DDoS assault on SpamHaus.

These writers won't get caught because they can't help but leave signposts, but they *may* get caught if someone in their dirty end of the world rats them out. I mean, after all, they've obviously built up this tool (a private, massive, distributed, anonymized network of PCs) for a reason, and that's for one of two obvious reasons: 1) to sell spam-sourcing services to folks who can't get an ISP to let them send, 2) to cruch their competition/adversaries.

It's a (commercial) battlefield out there in Packet Land.

Anyway, that's my take on it. =)

Re:Ignorant Ignorant Ignorant!

[ceejayoz]

Script kiddies are probably more likely to be running Windows themselves, 'though. They'll crack what they have access to themselves, instead of something utterly like Linux.

Someone who trained to use a grenade launcher is going to use a grenade launcher when available, even if pistols are more prevalent. :-p

Re:Why People Bash Microsoft

[tres]

Or Occam's Razor might say that people dislike Microsoft because Microsoft has been responsible for countless hours of frustration and time wasted due to bad products and no readily available alternative.

It's like buying a lemon from the only car dealer in town that you can afford to buy from. You despise the dealership and the salesman who sold you the car. You despise the owner of the dealership for tricking you.

It's not about how much money the owner has, but how he got the money. People associate Bill Gates with the crap that Microsoft has made billions selling. He's painted his own portrait in their minds--not the media.

Part of the problem, I believe, is the hype that Microsoft raises with new product releases. They generate artificial demand by hyping products that are supposed to solve your problems. Most of the time, the problems aren't solved, and even in the cases where they are, the problems are generally shifted to something else.

Re:I heard they needed skilled people

[pyros]

It's both. Having them run in kernel space means a web browser crash can bring down the whole kernel. Having them run as root means an exploit can give access to the entire system. Either one without the other is bad, but together they are the sux0r.

Re:I heard they needed skilled people

[BlewScreen]

Way off topic, but regarding bridges... Here's a list [nwu.edu] of 15 that fell due to engineering defects.

I grew up a few miles away from the "Schoharie Creek Bridge" in the list. A week after it fell, a bridge a bit further up the creek fell as well. The second abutted my front yard. Both fell due to poor engineering.

In fact, the one next to my house was built across a bend in the creek. When they "fixed" it, (eight years later), they built the new one in the same place. Talk about not learning from past mistakes...

Designing secure and bug-free software is a tedious process, but do-able.

The original argument was that building bridges that don't fall down is also "do-able"... Apparently, that's not the case.

There is no way you can guarentee PERFECTION with ANY amount of checks / tests / standards / whatever. Who's going to run the tests? A HUMAN.

Software or not, humans make mistakes. There's nothing you can do about it. Again, I'm not asserting that MS didn't release a product with "too many" bugs. Just that the goal of "perfection" is WAY beyond reach...

Microsoft is doing something at least...

[gone.fishing]

Gee, I knew what most of these posts were going to say before I even read them. Most of them say that this is just a marketing ploy by Microsoft to deflect criticism, that Microsoft's poorly written code is what is really the cause, and Microsoft this and Microsoft that and oh, by the way Linux rules.

Let's put all of that aside for a minute. I'm not going to be pro-Microsoft or Pro-anything here. I am going to be Anti-virus writer though.

Cyber-crime be it scams, viruses, trojans, worms, password/identity theft, carding or whatever affects all of us personally. It does because it casts things like the internet, ecommerce, and technology in a poor light. It causes "big money" to think twice before they invest in technology, it causes things like e-voting to come more slowly to the forefront and, it forces companies to take sometimes extreme security measures.

In a sense, the 'net hasn't matured yet. It can be compared to the Wild West where crooks didn't have to run very far or hide very long or even worry very much about getting caught. I have no doubt that over time we will see the net change and cyber-criminals and other scumbags will have more to fear. But right now, a wanted poster with a reward is appropriate. It is what Wells-Fargo did to catch outlaws way back when and it will work as well today.

Re:I heard they needed skilled people

[pyros]

blame on me for careless examples. If I'm not mistaken, video drivers run in kernel space, so should have been my example for that. I didn't mean to imply that IE was both a kernel service and run as root, just that those two parts of the Windows platform in combination are bad. And to be fair, the IE rendering code is in system DLLs, so it's not an unreasonable misunderstading to think some of it might be running in kernel space. As for stuff needing to be logged in as administrator, I have a linksys wireless card which, using the current drivers, is useless unless I am logged in as an administrator. Note that I mean 100% useless, it will not associate with an AP unless I am an administrator. I tried uninstalling and reinstalling the driver, I even went through two levels of Linksys support. So in order to have my wireless internet access without buying more hardware, I must run as administrator. :( Fortunately I just run Linux all the time.

Where's the supervirus?

[Dirtside]

I've been wondering for a while why we haven't seen any really nasty virus epidemics -- I'm not talking massive DDOS, or spamfloods. I'm talking, a virus that infects a few million hosts over the course of a day or two, and then at a predetermined time, starts formatting the hard drive.

Given how fast some recent viruses seem to have spread, it certainly seems feasible. So why do these viruses always have fairly innocuous payloads? It would seem a relatively simple thing to write a virus like this -- not to mention release it anonymously and never tell anyone about it. Is it just that the people capable of doing this are all ethical enough not to? Or that the ones who aren't ethical enough, are dumb enough to get caught? Or that nobody, I mean nobody would want to see the havoc wrought by such a virus?

Why haven't we seen a virus like this yet? Is it because such a virus isn't possible, or just because no one's bothered yet?

Bounty on Microsoft security holes

[brre]

I was going to offer a 25 cent bounty on Microsoft security holes, but then I realized I can't afford it.

Seriously, the PR design here is quite good: shift the blame. By putting a bounty on the bad guys, Microsoft frames the issue as the bad guys are the problem, and gets the heat off Microsoft's absymal security. I congratulate Microsoft's PR talent here. Very slick.