Slashdot Mirror
Microsoft Reward Leads to Arrest of Sasser Suspect
tritone writes "According to this article on CNET, it was a reward from Microsoft that led to the arrest of the perpertrator of the Sasser Windows Worm. This is the first success for Microsoft's Antivirus Award Program, a $5 million fund to reward people for coming forward with information about those who release major worms and viruses."
...that MS would hand out those rewards to those who turned in people that used pirated versions of their software. Not that i care about Microsoft piracy at all, but I know a few assholes, and I could need the money.
this is probably the most boring sig in the world
I suppose throwing money at the problem is proactive, but hardly clever.
In this complex and often terrifying world, it's nice to know that some things never change.
Faster! Faster! Faster would be better!
Don't go bragging about your next virus release.
Sheesh, evil *and* a jerk. -- Jade
While I do agree that they need to do better (not more) auditing of code, I also think it is admirable that they are taking responsibility for the damage in some way. Props to Microsoft.
Suggestion, instead of suing security companies who find and point out vulnerabilities they should implement rewards there. For example, if xyz security found a vulnerability they could either
A: release it to the news/public and risk MS ire
or
B: Submit it confidentially to the MS bug track for a hefty reward
Yes, that lacks disclosure but it is a healthier system than now exists.
I wonder what kind of deals are being offered right now for him to turn in friends and information? I wonder what is on his computer? All it takes is one informant for the police to get warrents to search all his friends and known acquaintances computers, so I am thinking there will be a bigger fallout than just one guy. I just hope they don't let the big fish off the hook to get 10 smaller fish.
I wonder if this will be the start of the dominos falling. He turns in his friends, who in return turn in their friends. Then next thing you know the FBI is knocking on your door asking to look at your computer. In some ways, I welcome that. It gets to be exhausting fixing computers from all the viruses and spyware and crap.
I am just glad that with him in jail there will be more security. One less bad guy to worry about.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
The $5 Million reward is only payable in Vouchers for Microsoft Software.
Specifically: You can buy anything.
1. Write worm
2. Find someone in severe financial trouble
3. Have that person release the worm from home computer
4. Turn that person in and collect the reward
5. Place 75% in a high interest foreign account and keep the rest
6. After the guy gets out of jail, send him a key to a safety deposit with all the information he needs to start a new life
7. Profit
Sdelat' Ameriku velikoy Snova!
1) They can show he had the ability to write it.
2) They might have people who he told he wrote it.
3) There might be evidance on his computer.
4) They can look at how it spread, and what he had access to.
5) They might have been tracking his internet activities, seeing where he was and what he was doing (they had probably cause).
I think there are many things the police can do to find out if it is him.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
I wonder if MS can keep up this effort and if we'll eventually start to see sponsored virii added to the real TCO for windows OS'. Oh wait.
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
It has deterent value. It says if you become good at writing viruses you will get nailed. Maybe MS does not care about the young kid messing around who does not damage anything. Microsoft is showing good restraint.
Plus, I cant help but think that comment is typical of how people treat MS. They either complain they are not doing enough or too much.
Rosco: "If brains were gunpowder, Enos couldn't blow his nose."
"A: release it to the news/public and risk MS ire
or
B: Submit it confidentially to the MS bug track for a hefty reward"
That system already exists.It is called "Black Mail."
Sdelat' Ameriku velikoy Snova!
OK, I want some of that dough.
The article mentions that Microsoft used some technical means to confirm the informants' information but the informants did not use technical means to identify the guy. This leads to some questions:
Does Microsoft somehow bug your code if you use MS products to produce it? If I remember correctly some of the Word macro viruses had an ID number somewhere inside them that let MS identify the copy of Word that originally produced the virus.
Is such a serial number/product ID what MS used to confirm the informant's information?
It would not necessarily need to be a number. Deliberate variations in the code produced by a compiler from one machine to the next could be used as a fingerprint.
Barring that, was there some other technical means that could have been used to locate the author?
If I wanted to be a Anti-Virus Bounty hunter is my best bet learning to decompile code or to hang around on IRC chat channels and either encourage other users to write viruses so I can turn them in later, or make friends with real virus writers so I can turn them in?
Maybe a piece of reference code can be made available on a website and people can compile it on a range of machines and MS compilers. The resulting code can be compared and to see if the machine/compiler pair can be identified from the executable. If two machines with the same OS and developement tools create code with slight differences I would begin to worry if I were a virus writer.
I am amazed, with the number of open access points, that someone ever gets caught.Guess they can't help bragging to their friends.
Any strategy contains the seeds of its own failure. In this case, bribing criminals to hand-over their own is a classic but short-term solution.
Firstly, it sets the stage for blackmail. If one isolated hacker is worth $5m, how much is an unreleased worm worth? Probably much, much more. I'd not be surprised if MS regularly get asked for money upfront before worms are released. Paying out will only make this worse.
Secondly, it is a Darwinian filter. Yes, you can pay to get hold of an isolated criminal. No, you cannot use this tactic against criminal gangs. $5m is not a lot when compared to the value of a large botnet. Setting bounties will eliminate the free-lancers and leave the stage open for more organized criminals who will probably be more agressive in using zombied PCs for criminal acts (child porn, DDoS, etc.)
Thirdly, it is prejudicial and likely to lead to the arrest of innocent people. Given that any zombied PC can be used to launch a worm attack, how can any evidence be trusted? Confessions, too, are unreliable. Bounties are rapidly turned into lynchings.
Lastly, it is a distraction from the real issue: Windows' fundamental security weaknesses. Microsoft must release a secure Windows within the next 12 months or risk permanent damage to their brand. Paying bounties for worm writers fools no-one: Windows remains insecure and there remain an unlimited supply of smart criminals happy to take advantage of that.
Sig for sale or rent. One previous user. Inquire within.
...is that the software system design, default behaviour, and security level is so poor that a 17 year old can easily exploit it and cause so much damage.
Look, if an anti-social 19 year old can create such a devasting worm, I am afraid the odds are against this strategy of fighting the problem. What, there must be a 100 MILLION other kids just like him, playing away on their windows computer, looking to be more than just a pimple faced teenager.
Let's see, ingredients to a killer windows worm:
1. Anti-social teenager
2. windows computer
3. internet connection
4. some free time (see 1.)
Sorry, this is just not the way to resolve the problem. It is just too easy, not even worth celebrating. No wonder MS is ONLY investing 5M in this method (what is 5M to MS?).
Sdelat' Ameriku velikoy Snova!
Here's a better way to put it.
If the doors in your house are falty and won't lock at all, then someone breaks in, who is to blame? The intruder, or the company that sold you the defective doors?
I say both.
And because the "door company" is paying to find the intruders after they have broken in does not mean it solves the problem, maybe they should fix the locks first. That sounds like a reasonable idea.
It is like saying that if I leave my back door unlocked at night, I am to blame if someone breaks in.
It's not like a door on your house. It's more like you're a tenant in a large apartment block in a bad neighborhood, and the landlord hasn't installed working locks on any of the apartments.
I say I have a gun, and if someone breaks in, they are getting shot.
But in this case you don't have a gun, nor can you get one. There's just about nothing that you can do as an individual to retaliate or even track down the perpetrators.
It's more like this: After years of complaints, the negligent landlord decided to hire a private investigator. After almost a year, this PI has managed to track down just one out of the hundreds of criminals harassing the neighborhood. BFD.
Maybe if it was not for the virus writers, the cost of Windows would be cheaper.
Maybe if it weren't for thieves, the cost of apartments would be cheaper. They wouldn't need security services or door locks. Unfortunately, that's a pipe dream. In the real world, you're not ever going to avoid paying for security. Deal with it.
Microsoft, the brilliant businessmen that they are, has actually managed to avoid or push off onto others the full costs of security for quite some time. However, even they are not be able to avoid the inevitable forever.
They are going now to pay to fix their mistakes with some fraction of their pile of cash, but more importantly, they are going to have to design security into their software up front. This is going to significantly slow down their pace of churning their software updates. This loss of some of their competetive edge is going to be the real price that they pay.
I think it is horrible for someone to defend a criminal because the criminal had oppertunity to commit a crime.
Likewise, it's bad to defend negligence on the part of those responsible for providing security measures by saying "Sure the security was badly flawed, but if there weren't any bad guys in this world, we wouldn't need security!"
Yeah dude, totally...just like someone who makes a biological weapon to expose the weakness in the current national security infrastructure. They could just leave it out on the street marked "use me to fuck up the entire city."
They haven't done anything wrong, right? I mean, they didn't RELEASE the poison, and their aim is noble since they really only expose all the country's physical security holes.
FUCK virus writers. They cost people money and time. Money and time is LIFE, just because they take it from you 10 minutes at a time doesn't make it any easier to swallow.
If you want to make people more aware of security, try community outreach. Get involved locally and make a real difference in people's lives. Take charitable contributions to buy billboards and TV commercials. Get the big players involved.
But...wait, that would be POSITIVE. That isn't nearly underground enough for your typical virus writer. Their rhetoric is a fucking smokescreen, they're slimebag criminals and they deserve to be punished just like a CEO who jacks down stock prices. They're both doing MONETARY damage. Money is time and time is life, never forget that.
http://wharris.poweredbygeek.net