Microsoft Reward Leads to Arrest of Sasser Suspect 287
tritone writes "According to this article on CNET, it was a reward from Microsoft that led to the arrest of the perpertrator of the Sasser Windows Worm. This is the first success for Microsoft's Antivirus Award Program, a $5 million fund to reward people for coming forward with information about those who release major worms and viruses."
Re:Oh, guess what ... (Score:1, Insightful)
Good (Score:3, Insightful)
It seems fitting... (Score:4, Insightful)
I suppose throwing money at the problem is proactive, but hardly clever.
In this complex and often terrifying world, it's nice to know that some things never change.
Re:Oh, guess what ... (Score:1, Insightful)
That's right up their with pointing out the series of bugs in A-patchy webserver, or the various permission escalations in the lenux Kurnul.
Look, I'm l33t, I point out the flaws of one company to make myself look l33t. When those flaws are actually shared by basically all other software firms out there.
Now I'm not an MS fanboy [run Gentoo] but that doesn't mean I can stand idiots like you. Let's see you try and write an OS that can even *half* compete with Windows and not have any bugs. Then you can sit here and be all mighty about what a company should or should not do.
Tom
Microsoft is better at arresting people ... (Score:0, Insightful)
Not that I think the virus maker is a cool guy but I think there will allways be a virus maker, isn't it in human nature ?
I think a so big program as Windows is should not be controlled by a so small group of people.
Re:Good (Score:3, Insightful)
Re:Good (Score:3, Insightful)
http://www.washingtonpost.com/wp-dyn/articles/A111 60-2004May8.html [washingtonpost.com]
Remember, kids, no more bragging about those worms to real-life acquaintances!
Re: I wish... (Score:5, Insightful)
Wonder what's the ROI for releasing a virus by framing an asshole and then ratting on said asshole.
Kjella
Re:Oh, guess what ... (Score:4, Insightful)
Why? (Score:3, Insightful)
How much money does Microsoft have to spend making their operating system, and how perfect and secure does it have to be?
Maybe if it was not for the virus writers, the cost of Windows would be cheaper. Maybe beacuse of the virus writers Microsoft has to spend more money?
I think it is horrible for someone to defend a criminal because the criminal had oppertunity to commit a crime.
Re:Microsoft Rewards (Score:4, Insightful)
Of course, the only problem is, if you told them and kept quiet, chances are someone else is going to find that same vulnerability who might not play as nice.
Proof ? (Score:1, Insightful)
Having said that, we *know* the poor kid's going down, which prompts the question, could anyone dump someone they don't like right in it, and then get a fat reward ?
Re:Oh, guess what ... (Score:1, Insightful)
Re:Proof ? (Score:5, Insightful)
1) They can show he had the ability to write it.
2) They might have people who he told he wrote it.
3) There might be evidance on his computer.
4) They can look at how it spread, and what he had access to.
5) They might have been tracking his internet activities, seeing where he was and what he was doing (they had probably cause).
I think there are many things the police can do to find out if it is him.
Re:Oh, guess what ... (Score:5, Insightful)
It has deterent value. It says if you become good at writing viruses you will get nailed. Maybe MS does not care about the young kid messing around who does not damage anything. Microsoft is showing good restraint.
Plus, I cant help but think that comment is typical of how people treat MS. They either complain they are not doing enough or too much.
Re:Good like the lesser evil? (Score:3, Insightful)
You bring up an excellent point. Almost all the research methodologies for examining TCO do NOT include virii losses/downtime. However, they're starting to get far from non-trivial (like the Finnish bank that went offline for a day because of Sasser... imagine the cost) and are often the motivation for an organisation to start looking at alternatives to Windows - ie MacOS X and Linux.
-- james
show me the money (Score:3, Insightful)
Oh, and MS should pay to keep up their reputation...puh-leez. Their reputation is already lower than a snake's belly in a gully. How can they go farther? Before any knee-jerk MS apologists start replying, go check out what I've said about rewards being paid off...you'll find the situation is just as depressing as I've described.
Bounty Hunter (Score:5, Insightful)
The article mentions that Microsoft used some technical means to confirm the informants' information but the informants did not use technical means to identify the guy. This leads to some questions:
Does Microsoft somehow bug your code if you use MS products to produce it? If I remember correctly some of the Word macro viruses had an ID number somewhere inside them that let MS identify the copy of Word that originally produced the virus.
Is such a serial number/product ID what MS used to confirm the informant's information?
It would not necessarily need to be a number. Deliberate variations in the code produced by a compiler from one machine to the next could be used as a fingerprint.
Barring that, was there some other technical means that could have been used to locate the author?
If I wanted to be a Anti-Virus Bounty hunter is my best bet learning to decompile code or to hang around on IRC chat channels and either encourage other users to write viruses so I can turn them in later, or make friends with real virus writers so I can turn them in?
Maybe a piece of reference code can be made available on a website and people can compile it on a range of machines and MS compilers. The resulting code can be compared and to see if the machine/compiler pair can be identified from the executable. If two machines with the same OS and developement tools create code with slight differences I would begin to worry if I were a virus writer.
access (Score:5, Insightful)
Let's get this over with! (Score:5, Insightful)
Firstly, it sets the stage for blackmail. If one isolated hacker is worth $5m, how much is an unreleased worm worth? Probably much, much more. I'd not be surprised if MS regularly get asked for money upfront before worms are released. Paying out will only make this worse.
Secondly, it is a Darwinian filter. Yes, you can pay to get hold of an isolated criminal. No, you cannot use this tactic against criminal gangs. $5m is not a lot when compared to the value of a large botnet. Setting bounties will eliminate the free-lancers and leave the stage open for more organized criminals who will probably be more agressive in using zombied PCs for criminal acts (child porn, DDoS, etc.)
Thirdly, it is prejudicial and likely to lead to the arrest of innocent people. Given that any zombied PC can be used to launch a worm attack, how can any evidence be trusted? Confessions, too, are unreliable. Bounties are rapidly turned into lynchings.
Lastly, it is a distraction from the real issue: Windows' fundamental security weaknesses. Microsoft must release a secure Windows within the next 12 months or risk permanent damage to their brand. Paying bounties for worm writers fools no-one: Windows remains insecure and there remain an unlimited supply of smart criminals happy to take advantage of that.
Deterence vs. Prevention (Score:3, Insightful)
It may deter kids but certainly not pros. Rewards rely on enough individuals knowing who commited a crime so that at least one betrays the criminal. With kids that's easy since they're publishing their exploits as part of a game. With pros, no way. When terrorists and organized criminals write and distribute viruses, expect the MS reward to have much less impact.
Prevention through proper security, OTOH, cuts against both kids and pros. Cut out the exploit and you cut out the damage. Of course, MS management knows this...
Naked Rayburn
Re:Why? (Score:2, Insightful)
Windows XP Home is $150 CAD right now. If I'm spending that much money on something, I'd like it to work at least SEMI-reliably. But, no, Microsoft isn't at fault for this horrible software.
How much money do they have to spend on making it? As much as it takes to make a good product. Would you want these kind of flaws and errors in any of the other products you purchase? I doubt it.
Yes, the kid is a criminal in the fact it could have cost people's lives (UK Coast Guard), but should the people that require that kind of reliability use this software? No, they shouldn't, but Microsoft and other feed everyone with the thoughts that Microsoft is the only way to go.
Re:Oh, guess what ... (Score:3, Insightful)
$50 million is penny candy for Microsoft.
...and the implication.... (Score:5, Insightful)
Re:This could lead to another attack on Linux... (Score:4, Insightful)
Positive thinking? (Score:5, Insightful)
Let's see, ingredients to a killer windows worm:
1. Anti-social teenager
2. windows computer
3. internet connection
4. some free time (see 1.)
Sorry, this is just not the way to resolve the problem. It is just too easy, not even worth celebrating. No wonder MS is ONLY investing 5M in this method (what is 5M to MS?).
Re:Microsoft Rewards (Score:5, Insightful)
The patch for Sasser was available 3 weeks before the virus was released. I don't know about you, but I'd rather pay an admin to install a patch before the virus hits, than to pay him because he's busting his ass fixing a problem that he should have avoided.
Payload next time? (Score:3, Insightful)
(1) Do they have the right guy? I doubt it!
(2) What of a payload. Perhaps next time there will be a real payload. IMHO dumping a worm onto the net is about the same as a prank. I somehow doubt the "authorties" will see the humour. In which case perhaps the next worm will contain a payload worthy of the punishment that this young man will suffer.
This could be the beginning of a serious escalation.
What people need to realise is that with a billion plus people on the net, if there is a vulnerability then it will be found. It does not matter who does it - because SOMEONE will. Punshing the pranster is not a deterant. Fixing the broken software is the only solution and fat cat Mr. Moneybags Bill Gates should be able to accomplish the later... either that or withdraw the clearly faulty software from the market.
If we chose to attack and punish the pransters then it is we who escalate this and I would expect the reaction will be in the form of an escalation of the damages.
what's to stop.... (Score:3, Insightful)
sucks. It could be done JUST to get the reward for that matter, although that would be risky, but still possible.
microsoft got a mega buhzillion dollars in the bank from not hiring coders and not insisting on great code since forever and a day. I think what is more appropriate when money is being talked about is a class action lawsuit from thousands of joe MS users, not the government, joe users large and small who have been victimised by insecure OS that they got *suckered and conned* into running, and I mean suckered by their abusive monopoly tactics and vendor lockins for OS that happened over the past decade especially. Most people didn't "choose" to run microsoft, they got faked into it by it being installed on their boxes when they bought them. Then all of microsofts profits from not doing their job, combined with the ridiculous no warranty deal that profitable software gets, turned into the victimized end user's problems, where you get borken computers, anger, frustration, and in the case of businesses, millions of dollars in actual-for real damages, probably billions, I don't know. A big ole pile of cash, call it that. I bet in a lot of cases the constant and recurring damages exceed the cost of the software installed by many factors.
That sucks too. viruses and worms are BOTH the fault of evil hackers AND filthy rich monopolists who did NOT give a care about security until the past coupla of years, and even then it was half assed. MS as a total company gets it's corporate mindshare from william gates, always has, and he just don't and never has given a crap as long as he can rake in the dough, he's an extreme predator, and I don't care how "compassionate" and"giving" with his "foundation" some mafia don is with ill gotten gains, he's still a mafia chieftain, and made his loot by being a crook. Easy to give away free money you stole and conned people for.
Same with MS and gates, he needs to go to JAIL as far as I am concerned,he's a chronic serial crook, a repeat offender to boot, hidng behind the corporate wall of almost near immunity, and he shows no sign of stopping being a crook, although I will grant he's apparently trying to fix security in longhorn, but that's a long ways offf and doesn't address past crimes, and I think he's only doing it because he is being forced to by market pressures.
Re:Why? (Score:5, Insightful)
If the doors in your house are falty and won't lock at all, then someone breaks in, who is to blame? The intruder, or the company that sold you the defective doors?
I say both.
And because the "door company" is paying to find the intruders after they have broken in does not mean it solves the problem, maybe they should fix the locks first. That sounds like a reasonable idea.
Re:Why? (Score:5, Insightful)
It is like saying that if I leave my back door unlocked at night, I am to blame if someone breaks in.
It's not like a door on your house. It's more like you're a tenant in a large apartment block in a bad neighborhood, and the landlord hasn't installed working locks on any of the apartments.
I say I have a gun, and if someone breaks in, they are getting shot.
But in this case you don't have a gun, nor can you get one. There's just about nothing that you can do as an individual to retaliate or even track down the perpetrators.
It's more like this: After years of complaints, the negligent landlord decided to hire a private investigator. After almost a year, this PI has managed to track down just one out of the hundreds of criminals harassing the neighborhood. BFD.
Maybe if it was not for the virus writers, the cost of Windows would be cheaper.
Maybe if it weren't for thieves, the cost of apartments would be cheaper. They wouldn't need security services or door locks. Unfortunately, that's a pipe dream. In the real world, you're not ever going to avoid paying for security. Deal with it.
Microsoft, the brilliant businessmen that they are, has actually managed to avoid or push off onto others the full costs of security for quite some time. However, even they are not be able to avoid the inevitable forever.
They are going now to pay to fix their mistakes with some fraction of their pile of cash, but more importantly, they are going to have to design security into their software up front. This is going to significantly slow down their pace of churning their software updates. This loss of some of their competetive edge is going to be the real price that they pay.
I think it is horrible for someone to defend a criminal because the criminal had oppertunity to commit a crime.
Likewise, it's bad to defend negligence on the part of those responsible for providing security measures by saying "Sure the security was badly flawed, but if there weren't any bad guys in this world, we wouldn't need security!"
just like ESR said (Score:3, Insightful)
Seriously, this is just the known "cost of doing business" mentality again. If it's cheaper to pay a reward than to develop a secure product in the first place, that's what MS will do.
This is the exact same way they treat regulation - if it's cheapter to break the law and pay some puny court-ordered fine here and there, so be it.
Re:Why? (Score:1, Insightful)
Re:Why? (Score:4, Insightful)
I don't have a problem with locking up those who distribute worms and viruses, but I do have a problem with locking up someone just because you can show that they wrote it. It's more like locking up someone just for *OWNING* lockpicks. What should be illegal is using the lockpicks to break into someone's house, not owning them in the first place. Many of the early DOS/Windows viruses contain examples of extremely clever programming with all sorts of alternate applications: crypto programs, AV programs, copyprotection/anti-reverse engineering schemes, etc.
Maybe if it was not for the virus writers, the cost of Windows would be cheaper. Maybe beacuse of the virus writers Microsoft has to spend more money?
No, this is kind of a basic econ 101 thing. When a company has a monopoly, they start charging the "monopoly price" [sc.edu] and opposed to the fair market price. While the fair market price is tied to supply and demand, cost of production, etc, the monopoly price is dictated strictly by DEMAND. The monopolist looks at the demand curve for their product and choose the point the maximizes their revenue. Since the windows is a software product as opposed to a car, there is little incremental cost between producing 100,000 copies as opposed to 50,000. These means that the production cost aspect of the monopoly price is pretty much fixed, and the price is dictated almost entirely by demand.
Re:Good (Score:2, Insightful)
Re:More validation of Microsoft's central philosop (Score:2, Insightful)
The organisations who were taken down should have taken more precautions [kenobi.it], then.
If worms and viruses actually did real damage, I would suspect that future attacks would be less successful because of the real shock value associated with it - people might start to be more proactive in securing their machines, or not letting potentially insecure machines on their network.
However, I suspect that viruses/worms are never going to be that destructive given that a nonfunctional computer cannot spread the infection further - there would be little incentive to release such a virus/worm.
Re:Note to self... (Score:3, Insightful)
- Write major virus or worm
- Get a trusted friend to report me and split the 5 milion $
Thats a hell of a year income for sitting in jail a bit..
Flawed Analogy (Score:3, Insightful)
Arresting a murderer doesn't bring dead victims back to life. Does this reduce the usefulness of the police initiative to arrest murderers?
(Your analogy is flawed in general. The same applies to "bank robbers or muggers" as you mentioned: Once a crime has been committed, the damage has been done; and if no damage is done, I'd have trouble calling it a "crime".)
Re:Note to self... (Score:3, Insightful)
Re:Microsoft Rewards (Score:2, Insightful)
You should also mention that the patch fucked SMP machines and possibly (depends how lucky you are) any NT machine with a partition over 7.8GB. When testing reveals that the patch is borked you do NOT install it.
Re:Why? (Score:4, Insightful)
They haven't done anything wrong, right? I mean, they didn't RELEASE the poison, and their aim is noble since they really only expose all the country's physical security holes.
FUCK virus writers. They cost people money and time. Money and time is LIFE, just because they take it from you 10 minutes at a time doesn't make it any easier to swallow.
If you want to make people more aware of security, try community outreach. Get involved locally and make a real difference in people's lives. Take charitable contributions to buy billboards and TV commercials. Get the big players involved.
But...wait, that would be POSITIVE. That isn't nearly underground enough for your typical virus writer. Their rhetoric is a fucking smokescreen, they're slimebag criminals and they deserve to be punished just like a CEO who jacks down stock prices. They're both doing MONETARY damage. Money is time and time is life, never forget that.
Re:Oh, guess what ... (Score:1, Insightful)
Just because MSFT is huge doesn't mean they can produce perfect work. Several things contribute to the ultimate non-perfectness
1. Moving target. Even while they are writing a version of Windows new hardware is being developed. They have to be able to accomodate late submissions.
2. Not all MSFT employees are developers and not all MSFT developers work on windows.
3. Diminishing returns. Adding more people produces smaller returns on investment.
These characteristics are not unique of MSFT though. The same could be said of say KDE. Not all KDE members are developers, piling on 1000s of developers won't make it 1000x better and KDE doesn't target features from 5 years ago.
lo-and-behold KDE has bugs in it. Shocking!!! The horror!!! OMG!!!
This is why the original posters type of tripe pisses me off. It's so fucking narrow minded.
Tom
Re:Why? (Score:3, Insightful)
They haven't done anything wrong, right? I mean, they didn't RELEASE the poison, and their aim is noble since they really only expose all the country's physical security holes.
First off, your example is ridiculously extreme and doesn't really match the discussion at hand.
Second, you add in the irresponsible action of placing the "biological weapon" somewhere without fully disclosing what it is. (Which is more akin to RELEASING a virus rather than WRITING one.)
See your example is more like building a bomb and leaving it in a public place. Obviously that's bad and you're knowingly trying to hurt people.
But on the other end of the spectrum, there are those who fuck around with things like explosives for fun, and sometimes end up doing really good things as a result.
Someone like you would have had Alfred Nobel jailed as a "terrorist threat". That's stupid.
Their rhetoric is a fucking smokescreen, they're slimebag criminals and they deserve to be punished just like a CEO who jacks down stock prices. They're both doing MONETARY damage.
This is an absurd leap here. So if you build a car with shitty brakes (or door locks) and I publicize that fact, I'm the bad person for costing you money by exposing your negligence?
See, the problem I have with all of this is that if I write a virus, keep it to myself, and never release it, it's still illegal. I wouldn't be hurting you, or costing you money, but I would be guilty of some sort of "intellectual transgression" because people like you as so terrifed of nasty viruses.
Say you build a car with shitty door locks and I find out they can be opened with a screwdriver....
Should we make screwdrivers illegal?
Fuck no.
Me using a screwdriver to break into your car is ALREADY illegal, and if you're that terrified that someone's going to do it, get better locks.
By all means, go after people who actually ARE going around breaking into cars, but the knowedge and ability to commit a crime should not constitute a crime by itself.
In order to be guilty of a crime, you should actually be guilty of harming someone else. RELEASING the virus is what does that harm, not writing it.
Re:Oh, guess what ... (Score:3, Insightful)
I know it's cool to hate Microsoft and all, but I seriously doubt anybody's gonna enjoy the idea of going to jail just to cost MS a few dollars. Microsoft isn't worth being made a martyr over.
Re:Microsoft Rewards (Score:4, Insightful)
Don't forget to also mention that when a manufacturer waffles back and forth about wether or not to continue support on a platform (NT) that platform should be dropped from production. All my Windows 2000 boxes are SMP I have partitions MUCH greater than 7.8 GB and the patch I installed 3 weeks ago works great.
pro virus writers? (Score:2, Insightful)
Encourages finders of exploits to keep quiet (Score:2, Insightful)
Rather than coding a virus with the exploit hacker John finds, he may now just keep the code to himself. Which sure, stops a new virus coming onto the net... But...
Now John has an exploit in his hands he can use at any time on any one he likes. Rather than being enouraged by the underground community to write a virus (therefore alerting everyone else to the vulnurability,) John is now encouraged to shut up and not tell anyone, as his hacker friends are the most likley to lag.