Microsoft announced today that they would pay a $250k bounty to two individuals who brought in the writer of the Sasser worm. I view this as a positive initiative aimed at reducing the number of worms attacking our systems. To date, Microsoft has been focusing efforts on reducing the attack surface of its products, but at some point you reach the law of diminishing returns and have to consider alternatives.
In the case of security, the goal is to increase the cost to the attacker such that it is higher than the expected benefit. You increase that cost in two ways – by minimizing vulnerabilities, or reducing attack surface, and by reducing the threats. Reducing attack surface nominally increases the cost, but really doesn’t do a whole lot given today’s practices of seeking out new vulnerabilities and publishing proof of concept exploits.
On the threat side, it is extremely difficult to do much given the common hatred of Microsoft by worm and virus writers, and the adulation they receive(d) when writing their malware. Remember, these folks have plenty of time and plenty of targets. Implementing a bounty, then, is intended to increase the likelihood of an attacker getting caught and being sent to jail, or at least being convicted of a crime. This is a pretty serious downside for script kiddies who think this stuff is playtime. It also limits the benefits, since the primary one has always been ego-oriented. Now, an attacker must consider who he/she tells, because there is a bounty on their head. Nice.
Red Herring carried an article on this here. When I spoke with her, the reporter was really curious about whether the rest of the software world would join in and create their own bounties. I think this is unlikely since 1) most don’t have the money that MS does; 2) most don’t have the magnitude of the problem that MS does; and 3) there is no evidence that bounties actually work (in this case, there is information that it didn’t matter).
I think we are getting better at catching these folks, and this is good news for the Internet threat posture overall. Now, I would love to catch the Blaster and Witty authors.