Microsoft's Virus Bounty Plan Sound Familiar? It Should

from the worked-so-well-the-first-time dept

When I started seeing stories all over the web about Microsoft's offer of a $250,000 bounty for the authors of the Conficker virus, I thought that the plan sounded awfully familiar. Going through the Techdirt archives, I turned up some stories on bounties for phishers and spammers, then found a post from 2003 talking about how the company had set aside $5 million for bounties on people who wrote viruses and worms. While it's not clear if Microsoft has actually paid out any of that cash, it is pretty clear that the bounty plan hasn't done much to make Windows any more secure since it was announced. And neither will this latest bounty. Like the previous plan, it's gotten Microsoft tons of press that makes the company look tough -- but it doesn't solve the underlying security problems of the Windows platform. Catching the people who wrote the Conficker worm won't undo any of the problems they've exposed, and it certainly won't make Windows users any more secure.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bounty, cornficker, virus
Companies: microsoft


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 16 Feb 2009 @ 7:35am

    Actually, if they find him and hire him to help with security testing...

    link to this | view in thread ]

  2. identicon
    Ima Fish, 16 Feb 2009 @ 7:36am

    The bounty is an empty promise because your information has to lead to the arrest and conviction of the author. So even if you rat the person out, Microsoft still has a lot of wiggle room to get out of paying.

    No conviction, no pay. Conviction, but it's a plea to a lessor charge, no pay. Conviction, but the police found a lead independent from your information, no pay.

    Ratting out your friend/associate for the mere minuscule chance that MS might pay up a 1/4 of a million dollars, of which you'll have to pay a boat load of taxes on...? Not worth it in the least.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 16 Feb 2009 @ 7:40am

    no....it won't fix the underlying problem that caused conflicker...the patch they release months before does

    link to this | view in thread ]

  4. identicon
    Valkor, 16 Feb 2009 @ 7:48am

    I heard on the radio that MS paid out a bounty for the Sasser worm, so at least I think it's a little more credible than the BSA's bounties.

    link to this | view in thread ]

  5. icon
    James (profile), 16 Feb 2009 @ 8:03am

    Bounty

    Call Dog Chapman. He tracked a guy the cops gave up on and found him hiding in a ravine. He can surely catch a geek.

    link to this | view in thread ]

  6. icon
    GeneralEmergency (profile), 16 Feb 2009 @ 8:43am

    Didn't Bruce Schneier coin the term...

    ....."Security Theater"?

    But this is actually doing less than nothing, in terms of real security, isn't it? So we should all call this nonsense "Security Theater Advertising".

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 16 Feb 2009 @ 9:08am

    Marketing

    It's probably a ploy to keep a large account with beef over maintaining patches from migrating to Linux, FreeBSD, or (oh gee) OS X.

    link to this | view in thread ]

  8. icon
    PaulT (profile), 16 Feb 2009 @ 9:36am

    Re:

    "no....it won't fix the underlying problem that caused conflicker...the patch they release months before does"

    No, it won't.

    There was no patch before Conficker was released into the wild. Microsoft released a patch soon after, but it was several weeks before many companies could deploy it as Microsoft patches do have a habit of screwing up large enterprises in various unexpected ways if not properly tested beforehand. Microsoft have also not released patches that work with some service pack versions of 2000 and XP.

    So, regular patching would not have helped in this case. The virus attacked yet another buffer overflow vulnerability, a class of attack that Windows always seems particularly vulnerable to. Microsoft do still deserve some blame in this attack, and the bounty is a half-assed attempt to save face among the mainstream media.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 16 Feb 2009 @ 9:36am

    Re: Bounty

    haha dog can find junkies on an island not someone who uses their brain.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 16 Feb 2009 @ 9:51am

    Dog is srous about security

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 16 Feb 2009 @ 10:20am

    Re:

    Everyone is still waiting for you to finish that sentence.

    link to this | view in thread ]

  12. identicon
    derek, 16 Feb 2009 @ 12:01pm

    LINUX

    link to this | view in thread ]

  13. identicon
    Trevlac, 16 Feb 2009 @ 7:37pm

    To be fair, Conficker affects XP machines worse than Vista from what I've seen at the tech bench since this thing spread. Since XP is falling by the wayside, I'm sure Microsoft isn't terribly concerned with protecting it much. The only reason I can see is the people who choose to fervently live in the past (this OS is approaching 8 years old).

    link to this | view in thread ]

  14. identicon
    Dan, 16 Feb 2009 @ 9:32pm

    Before XP "falls by the wayside" M$ will have to develope something far better then Vista, not just Vista SP2 (Windows 7). We are tired of buying broken shit that won't work till SP4, so those that got stuck with Vista need to start demanding something other then $300 million ad campaigns, like an OS that works. For the time being XP at least works, an "upgrade" to the new Yugo isn't the answer.

    link to this | view in thread ]

  15. identicon
    infected, 29 Mar 2009 @ 7:59am

    concerned civ.

    WHY WOULD THEY HIRE HIM?

    link to this | view in thread ]

  16. identicon
    JJJ, 1 Apr 2009 @ 7:02pm

    Re: No...

    Why would they hire him if there paying 5 mill on the guys head? seriously , if anything they would just find a way to isolate the virus. Hopefully no one will catch this god forsaken virus.

    link to this | view in thread ]

  17. identicon
    JJJ, 1 Apr 2009 @ 7:07pm

    Re: Still

    The boounty is in no way an "empty" promise, chances are the person who is doing this is very lucrative with there work, or there are many trackers trying to trace this virus, remember, 5 million is a huge fucking am mount, why would one want to risk jail time for someone else to get 5 mill. If you Report it to Microsoft its different from reporting it to the cops since Microsoft is offering the bounty. Of course Microsoft makes sure your not affiliated with this persons scheme in any way. Get me?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.