RE: Microsoft's hacker bounty is wasted money

[InfoSec News <isn () c4i org>]

Forwarded from: security curmudgeon <jericho () attrition org>
cc: TheDyerCo () aol com

: Forwarded from: Peter Dyer <TheDyerCo () aol com>
:
: Acknowledging Mr Vamosi's constitutional right to free speech, I can but
: wonder about his views and the agenda he is trying to advocate at a time
: when criminals are vandalizing millions of computer systems every day
: for nothing more than the sport of it.  The superstar status granted by
: the hacker community to one of their own based upon the scale of the
: impact a particular criminal effort has on the world population does
: nothing more than encourage bigger and more outlandish attacks.

The superstar status granted by the hacker community is *second* to the
awe inspiring reputation bestowed upon the criminal by security companies
and news outlets. The hacking scene doesn't profit off the worms and the
criminal's reputation.. security companies and news outlets do.

: Having someone from the professional security community and a publisher
: who supposedly advocates Information Security take the focus of our
: efforts off the criminal and then to blame the software provider for the
: millions of dollars in lost productivity and clean-up costs is absurd!

Is it really absurd? Or is it absurd to think that these bounties will
deter *every* person in the world from ever writing a worm or virus? Do
you really live in a world where paying bounties stops crime? Why hasn't
it worked in the past? You walk into a 7-11 and see that you can receive
up to $10,000 for providing information on armed robbers. Yet three hours
ago my local news reported of an armed robber that not only held up a
convenience store, but went back shortly after to threaten the clerk
further. Why isn't that bounty working?

Someone from the professional security community who advocates Information
Security is doing just that. They want secure products. Catching bad guys
doesn't improve security.

: Young hackers criminals seeking superstar status will inevitably find a
: way to circumvent computer systems protected by the most elaborate
: security programs through little more than taking advantage of the
: weakness of one inside individual and a little creative human
: engineering effort.

And if this is the only attack vector left to these superstar criminals,
then the worms we've seen over the last three years will be a thing of the
past. They often don't rely on the weakness of one inside individual. They
rely on the weakness of one operating system, that is dreadfully insecure.

: The millions of home users impacted in the process cannot possible
: defend themselves from the dedicated actions of one criminal hacker and
: neither can Microsoft.

This is asbolutely false. Home users that use routers with no open ports
that provide NAT will find themselves secure from all the worms that rely
on an open and vulnerable service.

You also fail to realize that this uber hacker that is so dedicated and
can break into anything is also likely to never be caught, bounty or no.

: Placing a bounty on the heads of these computer criminals will encourage
: people with information necessary for the successful prosecution of
: these criminals to come forward.  When computer criminals (and their
: parents if they are juveniles) are held accountable for their action and
: liable for the costs incurred as a result of their actions and when
: prison becomes the residence of those convicted for the next 10 years,
: the desire for superstar status will be tempered with the very real
: possibility of arrest and confinement.

And when these superstar criminal hackers are outside any form of U.S.
jurisdiction? Oh gnoez! Your plan fails.

: Microsoft has taken an aggressive approach to resolving the problem
: faced by the individual home computer user and I, as one of those

Huh?! Microsoft has NOT addressed or begun to resolve the problem.
Insecure software, primarily the Windows operating system family is the
main problem. Shoddy software that is open to a wide variety of easily
exploited vulnerabilities is the problem we are facing. The people who
exploit the vulnerabilities are a byproduct of the problem.

: millions, appreciate their efforts.  Mr Vamosi is advocating the
: building of a better cheese container to keep out a mouse whose favorite
: sport is breaking into the container using the plans he got off the
: internet.  We don't need a better container. we need a very hungry cat.

Look around you. Do you see crime? If you answer "yes", then the very
hungry cat we call "law enforcement" isn't enough. Look around again, and
ask your friends who use common sense in their day to day life and do so
with security in mind. Have they been robbed? Mugged? If not, why not?

The real world does not follow your logic.

: Peter A. Dyer
: Director of Operations
: The Dyer Company
: TheDyerCo () aol com

Odd, can't find a thing about your company on Google.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.