Comment Articles

Microsoft's hacker bounty is a waste of money

Tags:
Software Security,
Bounty,
Hacker,
Microsoft

Robert Vamosi CNET News

Published: 11 Nov 2003 15:30 GMT

Last Wednesday, Microsoft, the FBI, the US Secret Service, and Interpol announced a $5m reward system for information leading to the arrest of individuals who write computer viruses. In particular, Microsoft is offering a quarter of a million dollars to apprehend the authors of last August's MSBlast and Sobig.f worms.

What a brilliant PR move -- something to distract the media from the latest Windows-based virus, MiMail.c, that's currently loose on the Internet. Instead of using that same $5m to secure the Windows code you and I use every day, and admitting that it's partly responsible for the problem, Microsoft has decided to point the finger elsewhere.

This situation reminds me of the current US anti-drug strategy, in which the government spends billions of dollars on drug interdiction and user arrests. While it's important to reduce the flow of illegal substances on our streets (and I'm not suggesting we legalise all drugs), such arrests alone are not enough. We also need programs that address the addictive behaviour that creates demand for drugs. By not focusing on the underlying causes of drug use, we are consequently losing the war on drugs.

In the same way, Microsoft is taking the wrong approach. Arrests won't stop viruses from being created, just as they won't stop drugs from being sold. Microsoft and others could spend $50m on rewards, and we would still have sophisticated Internet worms like SQLSlammer and MSBlast. The way to stop viruses is to develop secure software. Yet, while every operating system is probably vulnerable to some sort of attack, it's well known that Windows is particularly poor with respect to security.

Windows XP Home Edition, for instance, ships with its built-in firewall (which many users don't even know about) disabled by default and with all its Internet ports open. By comparison, while Mac OS X doesn't have a built-in firewall, at least it arrives on your computer with all unnecessary Internet ports closed. The same goes for the various Linux distributions.

Microsoft, to save time and money, designed Windows XP to be adaptable for different types of users. But the company should be more cautious about which features are turned on when the OS ships.

After all, do home users really need all their Remote Procedure Call (RPC) ports open by default? Do they need network printer and file-sharing enabled? Or for that matter, do they need the Microsoft Messenger Service turned on? No, they don't. Yet these are the features by which several recent viruses have infected many home computers.

Looking forward I see the same sort of thing happening with the new Microsoft Office System. Many of the new rights-management features found within Word, Excel, and Outlook are designed to work with an external server -- functionality that most home users, and even many business users, won't ever use. Nonetheless, Microsoft enabled all its programs to be open to communications from outside servers, leaving them vulnerable to attacks.

This blanket policy regarding program functionality is what contributed to the overnight success of the MSBlast worm last August. Most people had never heard of DCOM RPC, nor knew that it should be disabled for increased security, until MSBlast infected almost every Windows 2000 and Windows XP user not protected by a firewall.

Microsoft could better use its $5m bounty to improve security on its software. And it wouldn't cost the company anything to, by default, enable XP's firewall, close all unnecessary ports open to the Internet, and remove services that the average home user doesn't need.

While they're at it, Microsoft should send its customers CDs every month with the latest Windows and Office patches and program upgrades to install at our leisure (if AOL can do it, Microsoft can too). These changes would be expensive for Microsoft, but could make a real difference to end users -- which the $5m bounty most likely never will.