Microsoft: No responsibility accepted

From: Craig (craig_at_gil.com)
Date: 11/05/03 

Date: Thu, 06 Nov 2003 07:06:22 +1000

From: http://www.eweek.com/print_article/0,3048,a=111533,00.asp

Microsoft Corp. on Wednesday announced the creation of a $5 million fund
to be used to reward people who turn over information leading to the
conviction of virus writers.

To kick off the program, Microsoft offered rewards of $250,000 each for
information that leads to the arrest of the authors of two recent viruses,
Blaster and SoBig.F. The company announced the offers at a press
conference in Washington in conjunction with the FBI, Secret Service and
Interpol.

The idea is a novel one in the security community and attempts to exploit
the greed that motivates some crackers and online criminals. The
virus-writing world is a small one, and experts say that many virus
creators know one another and who is behind which outbreaks. However, like
most criminals, these people are loath to cooperate with law enforcement,
a fact that has hampered the ongoing investigations into Blaster and
SoBig.F.

Both viruses hit in August and, like most viruses, affected users running
Microsoft products. Blaster exploited a hole in the Windows RPC DCOM
interface, while SoBig.F went after Outlook.

"Worms and viruses are criminal acts on the international Internet
community. These are real crimes that affect real people," said Brad
Smith, senior vice president and general counsel at Microsoft, based in
Redmond, Wash.

Some security experts said Microsoft's efforts could act as a strong
deterrent for people considering releasing a virus. "It will make people
think about it a little harder. Hackers turn on each other all the time,
and there's nothing binding them together," said Pete Allor, manager of
X-Force Threat Intelligence Services at Internet Security Systems Inc., in
Atlanta. "Microsoft has raised the bar on what it means to work with law
enforcement. I think we're all collectively tired of these guys."

Representatives from the FBI, Secret Service and Interpol all lauded
Microsoft for creating the reward program, but warned that the money would
likely not be enough to prevent virus writers from creating and releasing
new malware. Still, they said that the cooperation with Microsoft is an
important step.

"It's true that law enforcement doesn't have all the answers, and it's
absolutely true that the private sector doesn't have all the answers.
That's why it's important that we cooperate," said Peter Nevitt, director
of information systems for Interpol.

Smith said Microsoft will evaluate whether to offer a reward for future
virus writers on a case-by-case basis.

.
.
.

While I do not condone intrusion ("virus") software of any kind, and
believe that the writers of such software should be punished to the full
extent of the law, this is an amazing story. Microsoft have been very
sneaky here and put ALL the blame for viruses on the law-breakers who
write them.

But there is a bigger picture here.

A Windows "virus" is a program that is written to access one of the many
security holes in Windows and cause problems. If there were no security
holes in Windows, there would be no "viruses".
 
Microsoft have been very successful in diverting blame away from
themselves, naming the intruding software, a "virus" - seemingly and
unpleasant and uninvited attacking organism that needs to eradicated, and
the following quote from the above article confirms that master stroke
that they have played:

"Representatives from the FBI, Secret Service and Interpol all lauded
Microsoft for creating the reward program."

This is a remarkable statement, as it seems to condone Microsoft's weak
software security and shift the blame on to the intrusion software
writers. Surely this is just another ploy by Microsoft, were they are
using some funds from their massive war chest to distract attention away
from themselves.

There are about 60,000 viruses known for Windows, 40 or so for the
Macintosh, about 5 for commercial Unix versions, and perhaps 40 for Linux.
Most of the Windows viruses are not important, but many hundreds have
caused widespread damage. Two or three of the Macintosh viruses were
widespread enough to be of importance. None of the Unix or Linux viruses
became widespread - most were confined to the laboratory.
http://www.theregister.co.uk/content/56/33226.html

As I see it, Microsoft's insecurity it is akin to you going on holidays
and leaving your windows open and the light on. Sure the burglar is at
fault, but have you taken the necessary precautions to inhibit their
access?

Craig

Relevant Pages

  • Re: Are We Addressing Cyber Crime Backwards
    ... consistently blaming users for the clear ... lack of security in Windows products is getting pretty old and lame... ... You cannot possibly disagree that the only way to get those viruses is by ... I don't think everything Microsoft does is ...
    (microsoft.public.security)
  • Re: Validation of XP
    ... Windows is no more "prone" to viruses & malware than any other OS that can ... or rather how does Microsoft fix this. ...
    (microsoft.public.windowsxp.general)
  • Re: Microsoft: No responsibility accepted
    ... > Microsoft Corp. on Wednesday announced the creation of a $5 million fund ... > conviction of virus writers. ... > information that leads to the arrest of the authors of two recent viruses, ... Blaster exploited a hole in the Windows RPC DCOM ...
    (microsoft.public.security.virus)
  • Re: Microsoft: No responsibility accepted
    ... > Microsoft Corp. on Wednesday announced the creation of a $5 million fund ... > information that leads to the arrest of the authors of two recent viruses, ... > The idea is a novel one in the security community and attempts to exploit ... > Microsoft for creating the reward program, but warned that the money would ...
    (microsoft.public.security.virus)
  • Re: Are We Addressing Cyber Crime Backwards
    ... Most email viruses, both of these included, forge the from: ... shortcomings of Microsoft products. ... In other words attachments are input to ... file to .BAT or .PIF or .GIF and it still executes, ...
    (microsoft.public.security)