Will Microsoft's 'Hang 'em High' Plan Work?

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The security community is reacting with both incredulity and excitement to the news that

Microsoft is putting a quarter-of-a-million-dollar bounty on the heads of the virus writers

behind the highly destructive Blaster and Sobig worms.

Microsoft Corp. announced yesterday that it is offering up separate $250,000 rewards for

information leading to the arrest and conviction of the Blaster and Sobig authors. The

rewards are part of the $5 million fund that Microsoft set aside to battle malicious code

and the hackers and spammers behind it.

The software giant is working alongside the FBI, the United States Secret Service and

Interpol in its anti-virus efforts.

”This has really become the wild, wild West,” says Ken Dunham, director of malicious code

at security company iDefense, Inc. based in Reston, Va. ”You put a big enough bounty out

and sooner or later you’ll hang somebody. A hundred years from now, people will be watching

old movies about Microsoft, and a big bounty and all the hacker hangings.”

Dunham says Microsoft’s high-profile, high-priced effort is an announcement that the company

is taking viruses seriously and that people will be held accountable for their actions.

But Steve Sundermeier, a vice president with anti-virus company Central Command, Inc., based

in Medina, Ohio., says Microsoft needs to be held more accountable for its own actions.

”It’s kind of a public admission that there’s a problem that needs to be addressed with the

Microsoft software itself,” says Sundermeier, who notes that Microsoft also may be reacting

to the heat its feeling from competitor Linux. ”With a bounty, they’re trying scare tactics

instead of addressing vulnerabilities that exist in their own software.”

But while Sundermeier says Microsoft should be investing more in debugging Windows, he does

say that the bounty just may bring some informants out of the weeds.

”Money always talks,” he adds. ”The odds of somebody talking when there’s a quarter of a

million dollars on the line is much greater.”

Patrick Gray, a 20-year veteran of the FBI and currently a director at Internet Security

Systems’, a security company based in Atlanta, Ga., says experience in law enforcement

proves that money definitely talks.

”I think it’s cool. It’s a marvelous idea,” says Gray. ”Remember that there is no honor

among thieves. And $250,000 to a guy sitting in his bedroom is a lot of money… We’ve been

doing this for a hundred years in the physical sector — all the way back to Billy the Kid.

There’s no reason it shouldn’t work here.”

And Gray says the bounty just might work because virus writers like to brag. They write a

virus and then watch it wreak havoc in the wild. But where’s the fun if no one knows they

were behind it? They head to a hacker chat room or IM their friends… and they brag.

”I worked the Mafia Boy investigation — the guy who took down eBay and CNN,” says Gray.

”He was all over the chat rooms. We caught him within seven or eight days of his last hit

on CNN because he was out there talking about it.”

Microsoft and the Feds obviously are hoping this move extends beyond convicting the people

behind Sobig and Blaster. They are hoping this will be a deterrent to future virus writers.

But iDefense’s Dunham says it won’t be a deterrent if people are simply ratted on. People

need to go to jail before it will have a real effect on the hacker community.

”People will pay attention if they start to get these guys and they’re strung up,” says

Dunham. ”If they don’t hang anyone, it won’t be anything more than a marketing ploy… It’s

a complicated puzzle leading to an arrest. It’s going to be very difficult actually putting