RE: Microsoft's hacker bounty is wasted money

[InfoSec News <isn () c4i org>]

Forwarded from: Peter Dyer <TheDyerCo () aol com>

Acknowledging Mr Vamosi's constitutional right to free speech, I can
but wonder about his views and the agenda he is trying to advocate at
a time when criminals are vandalizing millions of computer systems
every day for nothing more than the sport of it.  The superstar status
granted by the hacker community to one of their own based upon the
scale of the impact a particular criminal effort has on the world
population does nothing more than encourage bigger and more outlandish
attacks.  

Having someone from the professional security community and a
publisher who supposedly advocates Information Security take the focus
of our efforts off the criminal and then to blame the software
provider for the millions of dollars in lost productivity and clean-up
costs is absurd!

Young hackers criminals seeking superstar status will inevitably find
a way to circumvent computer systems protected by the most elaborate
security programs through little more than taking advantage of the
weakness of one inside individual and a little creative human
engineering effort.  The millions of home users impacted in the
process cannot possible defend themselves from the dedicated actions
of one criminal hacker and neither can Microsoft.

Placing a bounty on the heads of these computer criminals will
encourage people with information necessary for the successful
prosecution of these criminals to come forward.  When computer
criminals (and their parents if they are juveniles) are held
accountable for their action and liable for the costs incurred as a
result of their actions and when prison becomes the residence of those
convicted for the next 10 years, the desire for superstar status will
be tempered with the very real possibility of arrest and confinement.

Microsoft has taken an aggressive approach to resolving the problem
faced by the individual home computer user and I, as one of those
millions, appreciate their efforts.  Mr Vamosi is advocating the
building of a better cheese container to keep out a mouse whose
favorite sport is breaking into the container using the plans he got
off the internet.  We don't need a better container. we need a very
hungry cat.

Peter A. Dyer    
Director of Operations
The Dyer Company
TheDyerCo () aol com



-----Original Message-----
From: InfoSec News [mailto:isn () c4i org]
Sent: Tuesday, November 11, 2003 7:46 AM
To: isn () attrition org
Subject: [ISN] Microsoft's hacker bounty is wasted money 


http://asia.cnet.com/newstech/perspectives/0,39001148,39157414,00.htm

By Robert Vamosi, Special to CNETAsia
Tuesday, November 11 2003 8:24 AM 
 
commentary: Last Wednesday, Microsoft, the FBI, the U.S. Secret
Service, and Interpol, an international law enforcement organization,
announced a US$5 million reward system for information leading to the
arrest of individuals who write computer viruses.

In particular, Microsoft is offering a quarter of a million dollars to
apprehend the authors of last August's MSBlast and Sobig.f worms.

What a brilliant PR move--something to distract the media from the
latest Windows-based virus, MiMail.c, that's currently loose on the
Internet. Instead of using that same US$5 million to secure the
Windows code you and I use every day, and admitting that it's partly
responsible for the problem, Microsoft has decided to point the finger
elsewhere.

Deja vu

This situation reminds me of the current U.S. anti-drug strategy, in
which the government spends billions of dollars on drug interdiction
and user arrests. While it's important to reduce the flow of illegal
substances on our streets (and I'm not suggesting we legalize all
drugs), such arrests alone are not enough. We also need programs that
address the addictive behavior that creates demand for drugs. By not
focusing on the underlying causes of drug use, we are consequently
losing the war on drugs.

[...]




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.