Users Mixed on Microsofts Hacker Bounty

In the wake of Microsoft Corp.s establishment last week of a multimillion-dollar fund to help track down virus writers, many enterprise security managers and experts are saying the move is a red herring for the companys software.

Microsoft announced it has set aside $5 million for a fund that seeks information leading to the arrest and conviction of virus writers. The fund will be administered by Microsoft, which has already set bounties of $250,000 each for the authors of the Blaster worm and the SoBig virus. Officials in Redmond, Wash., said they hope the fund also will serve as a deterrent for those considering releasing viruses into the wild.

But some security watchers arent buying it.

“Just change the perception, and, more than likely, youll change the reality of most of the people, most of the time,” said Dennis Jugan, an independent security consultant in Johnstown, Pa. “If you cant produce a top-notch product, distract the naive or apathetic customer and manage their perception of the core issue.”

Still, law enforcement representatives and other security experts applauded Microsofts initiative, saying help in catching virus writers is welcome. With dozens of viruses emerging every year, the small group of agents at the FBI dedicated to tracking down computer criminals are overwhelmed and often have little luck finding those responsible for a given virus. The bureau did arrest two men for allegedly violating the Computer Fraud and Abuse Act, claiming they created separate, minor variants of Blaster this summer. But the author of the original worm is still unknown.

“Law enforcement does not have all the answers, and the private sector doesnt have all the answers. Its important that we cooperate,” said Peter Nevitt, director of IS for Interpol, the multinational police force based in Lyon, France.

Other veteran computer-crime investigators said Microsofts tactics could have a real effect on helping to track down online criminals.

“Theyre going back into the trick bag. When you put a bounty out, theres no honor among thieves,” said John Frazzini, vice president of intelligence operations at iDefense Inc., based in Reston, Va., and a former federal agent. “Traditional investigative techniques dont work when youre seeking cyber-criminals.”

But many security professionals, while acknowledging the need to hold virus writers accountable, said Microsoft is creating a diversion to draw attention from security problems in its products.

“The most likely [scenario] is that software vendors, particularly Microsoft, are blaming hackers in an attempt to take the spotlight off of vulnerabilities in their products,” said the information security manager at a major national bank who asked not to be named. “The problems … involve more vendors than Microsoft.”

Microsoft officials acknowledge that the company still has work to do to improve software security. But they said the reward program is an indication of the companys willingness to try new tactics to protect customers.

“Developing software thats more secure is a top priority. Technology is the most important piece to this,” said Sean Sundwall, a spokesman for Microsoft. “This is no silver bullet.”