I have a very limited set of programming skills but think that it is easily understandable why a number of practised code writers opt to write viruses. More recently it is clear that a good number of virus writers are motivated by the need to take over PCs and use them to direct attacks by paralyzing systems or stealing valuable information. It is easy to see that as a large proportion of professional work is performed on computers, there will be greater value to be had by these attackers. The economic prize to be grabbed is just too great to be passed over given that the existing security features on the most widely utilized operating system are not very high. For the reasons above, Bruce Schneier has correctly asserted that the quest for increased security is an arms race with computer virus writers who will respond to every new patch by identifying an alternative weakness to exploit.
The abiding question is how to respond to this arms race by using available resources efficiently and minimizing the disruption and theft that follows from the writing of viruses and other attacks. According to this story by Charles Arthur in the Guardian, Microsoft Corporation has put a US $250,000 offer for information leading to the identification and arrest of the person(s) responsible for the "Conficker/Downadup" worm that has spread to large number of windows based machines.
Why I applaud the support from private businesses in ensuring law enforcement, I hold the view that this approach is not the most effective use for that money.tTo begin with, this approach is based on paying for catching an offender after the damage is caused and does not of itself yield a solution to the security gap that was exploited. Secondly, as the article states, the history of these offers suggests that they hardly yield much useful information.
To my mind, the substantial rewards that Microsoft is putting forth should be designed to inspire the early detection of the software flaws that would allow for the attacks. In this sense, Microsoft's money should be used for a preemptive incentive. This would then lead software writers to be concerned with identifying the problems that criminal programmers would exploit. It would then be incumbent onf Microsoft Corporation to assess the potential weaknesses and to begin to fix them. To continue to offer a prize based on identifying virus writers suggests that Microsoft is oblivious of the real implication of these attacks. Brains should be employed in solving the problems as opposed to waiting to identify who did it. Needless to state, it implies that the existing operating systems and network software is inherently weak and bears as many flaws as the design of the prize.
The abiding question is how to respond to this arms race by using available resources efficiently and minimizing the disruption and theft that follows from the writing of viruses and other attacks. According to this story by Charles Arthur in the Guardian, Microsoft Corporation has put a US $250,000 offer for information leading to the identification and arrest of the person(s) responsible for the "Conficker/Downadup" worm that has spread to large number of windows based machines.
Why I applaud the support from private businesses in ensuring law enforcement, I hold the view that this approach is not the most effective use for that money.
To my mind, the substantial rewards that Microsoft is putting forth should be designed to inspire the early detection of the software flaws that would allow for the attacks. In this sense, Microsoft's money should be used for a preemptive incentive. This would then lead software writers to be concerned with identifying the problems that criminal programmers would exploit. It would then be incumbent on
No comments:
Post a Comment