Last Wednesday, Microsoft, the FBI, the U.S. Secret Service, and Interpol, an international law enforcement organization,
announced a $5 million reward system for information leading to the arrest of individuals who write computer viruses. In particular, Microsoft is offering a quarter of a million dollars to apprehend the authors of last August's
MSBlast and
Sobig.f worms.
What a brilliant PR move--something to distract the media from the latest Windows-based virus,
MiMail.c, that's currently loose on the Internet. Instead of using that same $5 million to secure the Windows code you and I use every day and admitting that it's partly responsible for the problem, Microsoft has decided to point the finger elsewhere.
We've seen this before
This situation reminds me of the current U.S. antidrug strategy, in which the government spends billions of dollars on drug interdiction and user arrests. While it's important to reduce the flow of illegal substances on our streets (and I'm not suggesting we legalize all drugs), such arrests alone are not enough. We also need programs that address the addictive behavior that creates demand for drugs. By not focusing on the underlying causes of drug use, we are consequently losing the war on drugs.
This situation reminds me of the current U.S. antidrug strategy.
|  |
|
In the same way, Microsoft is taking the wrong approach. Arrests won't stop viruses from being created, just as they won't stop drugs from being sold. Microsoft and others could spend $50 million on rewards, and we would still have sophisticated Internet worms like SQLSlammer and MSBlast. The way to stop viruses is to develop secure software. Yet, while every operating system is probably vulnerable to some sort of attack, it's well known that Windows is particularly poor with respect to security.
Windows XP Home Edition, for instance, ships with its built-in firewall, which many users don't even know about, disabled by default and with all of its Internet ports open. By comparison, Mac OS X at least arrives on your computer with all unnecessary Internet ports closed. The same goes for the various Linux distributions.
|
Microsoft, to save time and money, designed Windows XP to be adaptable for different types of users.
| |
|
Microsoft, to save time and money, designed Windows XP to be adaptable for different types of users. But the company should be more cautious about which features are turned on when the OS ships.
After all, do home users really need all their Remote Procedure Call (RPC) ports open by default? Do they need network printer and file sharing enabled? Or for that matter, do they need the Microsoft Messenger Service turned on? No, they don't. Yet these are the features by which several recent viruses have infected many home computers.
Insecure about the new Microsoft Office
Looking forward, I see the same sort of thing happening with the new
Microsoft Office System. Many of the new rights-management features found within Word, Excel, and Outlook are designed to work with an external server--functionality that most home users, and even many business users, won't ever use. Nonetheless, Microsoft enabled all its programs to be open to communications from outside servers, leaving them vulnerable to attacks.
This blanket policy regarding program functionality is what contributed to the overnight success of the MSBlast worm last August. Most people had never heard of DCOM RPC, nor knew that it should be disabled for increased security, until MSBlast infected almost every Windows 2000 and Windows XP user not protected by a firewall.
Microsoft could better use its $5 million bounty to improve security on its software. And it wouldn't cost the company anything to, by default, enable XP's firewall, close all unnecessary ports open to the Internet, and remove services that the average home user doesn't need.
While it's at it, Microsoft should send its customers CDs every month with the latest Windows and Office patches and program upgrades to install at our leisure. (If AOL can do it, Microsoft can, too.) These changes would be expensive for Microsoft, but could make a real difference to end users--which the $5 million bounty most likely never will.
What do you think of Microsoft's hacker bounty? Will it help secure the Net? How do you think Microsoft should improve security? Tell me about it--TalkBack to me!
