September 30, 2011, 12:30 PM — I always get a little suspicious when vendors are too eager to toot their own horns about all the public good they do.
Corporations tend not to be that interested in the public good beyond the benefit it brings them in the occasional bit of good publicity.
That's not a slam on corporate morality; when you work for a company, especially when you're one of the top decision-makers, your responsibility is to the owners. The owners are shareholders who, with their attention divided among many different companies or mutual funds, each of which they own a tiny piece of, don't gather en masse to endorse charitable spending by corporate execs who can be perceived as glossing their own images using shareholder money.
Microsoft's pursuit of spam-spewing botnets has some flavor of the insincere effort in the public good, but its reputation for security was so bad for so long that anything it can do to be obviously reducing security risks to its customers is a good thing for its image and the security of its customers.
Knocking down a botnet is a particularly good way to do it. It's high profile, you usually don't catch the perpetrators, so no one has to feel sorry for 19-year-old hackers like Topiary – the LulzSec spokestroll arrested in England for not being entirely circumspect about his online activities, but who looks like such an innocent in the perp-walk pictures it's hard to imagine the mouth on that kid.
Knocking down a botnet has an even greater impact for Microsoft: the fewer botnets spewing fewer phishing and malware-infected email, the fewer actual risks will be arriving in the email of its customers and the fewer will be victimized.
The fewer who are victimized, the smaller the number of them who will automatically blame Microsoft whenever anything bad happens.
It turns out Microsoft was little hasty in announcing "its" success Wednesday, though.
Microsoft – in the personage of the attorney who runs its Digital Crimes Unit – announced that it had tracked the botnet command servers to their lair and there slew them with a mighty request to a local court for an injunction allowing it to remove the IP addresses from those servers without the owners' permission.
It was stirring. It went heavy on the legalese. I had goosebumps.
Reuters: Screen at FBI cybercrime anti-spam, anti-botnet training academy.