Archive for February, 2009

Should manufacturers pay rewards for malware authors?

Tuesday, February 17th, 2009

So, Microsoft has offered a reward for information on the writers of Downadup worm. Following a tradition going back many years where rewards were put up for murderers, highwaymen and even kings, the IT industry truly is ‘back to basics’. Don’t knock it, it works. Sven Jaschan, the author of the Sasser and Netsky worms, was arrested in May 2004 after a reward of £250,000 was offered. But there isn’t much consistency in how and when rewards are put up. When Storm was at its height, a reward wasn’t offered, and yet it actually went live, whereas Downadup is yet to do so.

I suppose this reflects real life: not every crime has a reward associated with it. However, it is a good indication of our failure to govern this new virtual world, and to learn from real world experience. I am reminded as to why Bonnie and Clyde were initially so successful as bank robbers – they could always dash across a state line and be safe from prosecution. In the end, the US had to amend its laws to close this loophole. This is precisely where we are with Internet crime. Hackers in one part of the world can commit crimes in another, remaining out of reach of the relevant authorities. It is an international problem which needs an international solution, just as the US needed a nationwide solution to catch bank robbers. In the meantime, rewards are the best we’ve got.

Tags: ,
Posted in Campaigns | Comments Off

Scaremongering or informing?

Monday, February 9th, 2009

There’s been a bit of discussion over the last week as to how and when security companies should promote themselves. A couple of the big vendors have been criticised for scaremongering – http://www.itpro.co.uk/609768/sophos-hits-back-at-scaremongering-accusations – in order to generate publicity for themselves.

It can be a fine line to tread. On the one hand, the security industry would be irresponsible if we didn’t take seriously our role to educate and inform users of the very real threats that are out there. On the other, it’s easier to get publicity by throwing a stunt that is designed to frighten, rather than educate, users. And of course some companies have been guilty of this in the past.

But the truth is, there are threats out there. And mostly, they rely on some kind of user participation to work (spam only pays if people buy from it). So informing those users of the threats they face is a good thing.

I actually don’t think that creating a Facebook site to encourage people not to buy from spam is scaremongering. It may not be the most effective tactic to stop spam, but it certainly doesn’t do any harm. Spam is a very real threat. It would have been different if a Facebook site had been created to promote the threats presented by mobile viruses, for example, which aren’t yet a big problem.

But we do need to act responsibly by presenting the facts in an even-handed way, being honest about the scale of the threats we face, and creating a debate about how we can tackle them.

Tags: , ,
Posted in Campaigns | Comments Off