RE: [ISN] Microsoft's hacker bounty is wasted money

From: InfoSec News (isn@private)
Date: Mon Nov 17 2003 - 01:52:42 PST

  • Next message: InfoSec News: "[ISN] Microsoft's New Security Mojo"

    Forwarded from: security curmudgeon <jericho@private>
    cc: TheDyerCo@private
    
    : Forwarded from: Peter Dyer <TheDyerCo@private>
    :
    : Acknowledging Mr Vamosi's constitutional right to free speech, I can but
    : wonder about his views and the agenda he is trying to advocate at a time
    : when criminals are vandalizing millions of computer systems every day
    : for nothing more than the sport of it.  The superstar status granted by
    : the hacker community to one of their own based upon the scale of the
    : impact a particular criminal effort has on the world population does
    : nothing more than encourage bigger and more outlandish attacks.
    
    The superstar status granted by the hacker community is *second* to the
    awe inspiring reputation bestowed upon the criminal by security companies
    and news outlets. The hacking scene doesn't profit off the worms and the
    criminal's reputation.. security companies and news outlets do.
    
    : Having someone from the professional security community and a publisher
    : who supposedly advocates Information Security take the focus of our
    : efforts off the criminal and then to blame the software provider for the
    : millions of dollars in lost productivity and clean-up costs is absurd!
    
    Is it really absurd? Or is it absurd to think that these bounties will
    deter *every* person in the world from ever writing a worm or virus? Do
    you really live in a world where paying bounties stops crime? Why hasn't
    it worked in the past? You walk into a 7-11 and see that you can receive
    up to $10,000 for providing information on armed robbers. Yet three hours
    ago my local news reported of an armed robber that not only held up a
    convenience store, but went back shortly after to threaten the clerk
    further. Why isn't that bounty working?
    
    Someone from the professional security community who advocates Information
    Security is doing just that. They want secure products. Catching bad guys
    doesn't improve security.
    
    : Young hackers criminals seeking superstar status will inevitably find a
    : way to circumvent computer systems protected by the most elaborate
    : security programs through little more than taking advantage of the
    : weakness of one inside individual and a little creative human
    : engineering effort.
    
    And if this is the only attack vector left to these superstar criminals,
    then the worms we've seen over the last three years will be a thing of the
    past. They often don't rely on the weakness of one inside individual. They
    rely on the weakness of one operating system, that is dreadfully insecure.
    
    : The millions of home users impacted in the process cannot possible
    : defend themselves from the dedicated actions of one criminal hacker and
    : neither can Microsoft.
    
    This is asbolutely false. Home users that use routers with no open ports
    that provide NAT will find themselves secure from all the worms that rely
    on an open and vulnerable service.
    
    You also fail to realize that this uber hacker that is so dedicated and
    can break into anything is also likely to never be caught, bounty or no.
    
    : Placing a bounty on the heads of these computer criminals will encourage
    : people with information necessary for the successful prosecution of
    : these criminals to come forward.  When computer criminals (and their
    : parents if they are juveniles) are held accountable for their action and
    : liable for the costs incurred as a result of their actions and when
    : prison becomes the residence of those convicted for the next 10 years,
    : the desire for superstar status will be tempered with the very real
    : possibility of arrest and confinement.
    
    And when these superstar criminal hackers are outside any form of U.S.
    jurisdiction? Oh gnoez! Your plan fails.
    
    : Microsoft has taken an aggressive approach to resolving the problem
    : faced by the individual home computer user and I, as one of those
    
    Huh?! Microsoft has NOT addressed or begun to resolve the problem.
    Insecure software, primarily the Windows operating system family is the
    main problem. Shoddy software that is open to a wide variety of easily
    exploited vulnerabilities is the problem we are facing. The people who
    exploit the vulnerabilities are a byproduct of the problem.
    
    : millions, appreciate their efforts.  Mr Vamosi is advocating the
    : building of a better cheese container to keep out a mouse whose favorite
    : sport is breaking into the container using the plans he got off the
    : internet.  We don't need a better container. we need a very hungry cat.
    
    Look around you. Do you see crime? If you answer "yes", then the very
    hungry cat we call "law enforcement" isn't enough. Look around again, and
    ask your friends who use common sense in their day to day life and do so
    with security in mind. Have they been robbed? Mugged? If not, why not?
    
    The real world does not follow your logic.
    
    : Peter A. Dyer
    : Director of Operations
    : The Dyer Company
    : TheDyerCo@private
    
    Odd, can't find a thing about your company on Google.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Nov 17 2003 - 04:52:13 PST