Microsoft To Pay $200k Prize For New Security Tech

Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

$200,000

[wsxyz]

Awesome! That'll pay for 15 graduate students!

Re:$200,000

[bberens]

Awesome! That'll pay for 15 graduate students!

More like 15 graduate credits. Inflation gets you every time.

Re:$200,000

I was gonna go the other way. Note he said "that'll pay for 15 graduate students" not "that'll pay for 15 people to go to graduate school". These days I'm pretty sure you can buy a graduate student for like $10 tops.

Re:$200,000

I give you the "Air Gap" some might say it's vapour ware but I think it will work!

Re:$200,000

[gweihir]

In countries where PhD students are compensated reasonably (and hence are among the best), this does pay for about 1/4 of one PhD. For real results, MS would have to invest more like 5 Million. This is a stupid and pathetic publicity stunt.

It's worth a lot more than that

[blair1q]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Re:It's worth a lot more than that

[mushroommunk]

But then Microsoft will find some BS law stating that since it was developed in regards to this competition they own the product and require you to hand over your code....or worse.

Re:It's worth a lot more than that

[fishybell]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

The $200k is essentially the license fee for the idea to Microsoft. Not a great deal, but not a bad one either.

You can still sell the idea (and implementations) to whomever you desire (including Microsoft if they want to buy a better implementation).

The biggest problem I see is what happens if you win the MSDN subscription (no cash) or the $50k prize. The no money MSDN is an obvious bad deal on a potentially profitable product, and the $50k is likely a a very bad deal on a potentially profitable product. Microsoft will however likely not implement any one idea, but rather a collection of all ideas.

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Re:It's worth a lot more than that

[Jahava]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Cool, then the next-best one will win ... and so on. Either way, MS will get something useful for $200K, and in your best-case scenario lots of worthwhile products will be monetized to improve security.

Re:It's worth a lot more than that

[LifesABeach]

Maybe, but by m$ offering anything could easily be construed as Negotiation.

Re:It's worth a lot more than that

[sqlrob]

Not quite.

The promise of a potential $200K is the payment. It's a crappy deal. They can use any of the submissions, not just the winning ones.

Re:It's worth a lot more than that

[aztracker1]

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Seeing that their Security Essentials is better that the other free options, and many paid options, that may be bias speaking.

Re:It's worth a lot more than that

[Isaac+Remuant]

And this is why I think Contests make for one of the biggest legal scams of the internet age.

Some might turn out wonderful for the winners but beware of any resource provided by the organizers that might render your own work unusable (unless you win and only on their terms). If you intend on competing for a prize and not just using the experience make sure you read the terms and conditions multiple times and ask around in case of any ambiguities or you might end up feeling quite disenchanted.

Re:It's worth a lot more than that

[fishybell]

I love MSSE, but Microsoft bought it. It wasn't developed in-house so much as re-branded in-house.

That's an innovative approach..

And that's all I have to say about that.

Re:That's an innovative approach..

[erroneus]

If by innovative you mean "wrong" then yes, I agree.

Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication. They have it in their power to grow a culture of developers who are security conscious. And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it. Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be. But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE. And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

Re:That's an innovative approach..

If by innovative you mean "wrong" then yes, I agree.

Take your blinkers off.

Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication.

Let what grow? Idiotic fact-free rant.

They have it in their power to grow a culture of developers who are security conscious.

They've used that power wisely. Suggest you join the rest of us in the year 2011.

And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it.

What did you want to see implemented that was not done? Add some facts to the haterade please.

Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be.

Great. The world was waiting on your approval.

But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE.

Finally some good suggestions -- if you just made that suggestion, and removed the fact-free rant, people would take your comment more seriously. It's very painful to have to read 3 paras of biased nonsense to come to the meat of a post.

And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

Already done.

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

Fact-free again. Javascript is buggy on all browsers.

Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

Fact-free. Beholden to too many masters? WTF.. try to turn that into a factual statement you fucking moron.

Re:That's an innovative approach..

There should be a class action against them for the harm done to government, commercial, and personal security by their past gross negligence. They should be required to release "in-the-wild" security patches that seek out and disable networking on all older OSes they've released that no longer get security updates or don't have them installed. Versions that can't safely go online long enough to get patches should be disabled too. Load a test file that appears at every startup explaining what has happened, and how to download/burn patches from a current machine or competing OS to an optical disc or USB drive. OSes that have an expiration date for patches should have networking expire on the same date as well. (And all networked machines should validate the dates with a time server or be disabled)
Get their festering code off the intertubes! People have to vaccinate dogs, why shouldn't Microsoft take responsibility for their dogs??

Re:That's an innovative approach..

[aztracker1]

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

If you wouldn't mind pointing out how Script engine exploits for the past 5 years or so have been worse than their major counterparts? It's been my understanding that Flash, Acrobat Reader and Java have been the main attack vectors, and this isn't limited to windows, or a specific browser. Don't get me wrong, having scripts run in email, let alone having it run in the "local" not the "untrusted" zone was a very stupid move in outlook and oe, but it really ism't 1999-2000 anymore.

It's the sites/services actively working to continue supporting IE6-7-8 that are the problem... We should all push the yellow banner at the top to older IE users. Like the 20 things I learned site does... same for firefox 3.5, and older safari and opera versions.

Re:That's an innovative approach..

[mikael]

1980's - biggest problem with MS-DOS computers was that anyone could delete and overwrite system files, especially in shared environments. It's really hard to believe now, but the standard PC didn't have any distinction between system files and user files except for the read-only, hidden and system file bits.
Boot sector viruses were the biggest worry, with sys-admins/help-desks having to continuously fix PC's.

On UNIX side, network worms were the biggest danger.

1990's - Microsoft "fixes" the problem with Windows systems through the use of the "registry", which was to put all important system information in one big hidden place. Separate User ID's and accounts were introduced to given some basic security, but PC owners just give all their new accounts system admin access in order to allow the downloading of games. Neither of these helped to stop the problem of malware.

If anything, having *hidden* compartments/directories/files on a system, only assists malware, by giving it places to hide data. Even deep directory paths and filenames with strange characters like * or # assist in this.

A system and method for preventing virus infection

[Compaqt]

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

in other news,

[theswimmingbird]

Linus Torvalds just opened a new bank account.

Can I submit "Linux?"

Wouldn't it be awesome if RedHat won the Blue Hat prize.

Re:Can I submit "Linux?"

They'd have to rename the company Purple Hat.

Re:Can I submit "Linux?"

[hansraj]

Even if this competition was about developing secure operating systems - which it is not - there are operating systems out there (though not in popular use) that are way more secure that Linux in implementation, design, or both.

Re:Can I submit "Linux?"

[realityimpaired]

It's about ways to protect against bugs/exploits... specifically, about ways to protect against entire classes of bugs/exploits. In this case, they can learn a little from other systems, but it's not exactly innovative:

1. No running as administrative user. Make it impossible to modify anything that isn't in the home directory of the user without logging out, and logging back in as an administrator. Make it impossible to run an executable from the home directory unless you're running with admin privileges. Make it impossible to elevate permissions without logging out and back in as an administrator. Introduce a minor annoyance when you're running as administrator that will convince users to log out and run as a regular user... something like disabling the sound card when you're running as admin coupled with a screen overlay reminding users that they're running as admin, and disabling aero/screen graphics effects.
2. Set the default to have all ports closed, and to ignore ICMP packets.
3. Make it impossible for programs to open up incoming ports on the consumer version of the OS.

That won't prevent idiots from getting themselves infected... it's pretty well impossible to prevent idiots from getting themselves infected without removing the ability to expand on the factory configuration. It will, however, help protect against the majority of virus vectors currently in use. It'll also annoy users enough that they'll drop Microsoft like a used kleenex, and wouldn't make good business sense for them.

Re:A system and method for preventing virus infect

[grub]

A 5 volt shock... yeah, that'll teach 'em!
If they persist, fetch the dreaded 9 volt batteries from the armoury!

Makes sense to me.

[Petersko]

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Re:Makes sense to me.

[0123456]

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?

Re:Makes sense to me.

[Petersko]

"Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?"

It's only a better idea if they actually say yes.

Re:A system and method for preventing virus infect

[dragon-file]

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

I've always preferred positive over negative reinforcement.

Re:A system and method for preventing virus infect

[wsxyz]

So every time you click on a non-malware site, then.... what?

"focus their talents on defensive technologies"

"to defend against memory safety vulnerabilities"

Funny that they are restricting peoples talents like this. There may be better ways to defend against malware than this, which I don't think they are trying to defend against. It seems like this type of defensive vector might be more geared to DRM/TPM.

Re:"focus their talents on defensive technologies"

[hansraj]

The only person quoted in TFA, Katie Moussouris is a senior security strategist in Microsoft's Trustworthy Computing Group. So I'd say that you might not be way off the mark here.

Re:"focus their talents on defensive technologies"

[KNicolson]

Note that Trusted Computing (TPM etc) and Trustworthy Computing (secure coding etc) are very, very different things.

Re:A system and method for preventing virus infect

[biek]

A whoosh sound plays over the speakers.

Re:A system and method for preventing virus infect

[Meskarune]

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Re:A system and method for preventing virus infect

[Compaqt]

If only the USB people had allowed for 3-phase power in the original spec...

Priceless!

* Open a McDonalds Franchise $250,000

* Have Christina Aguilera on your TV show for 1 hour $225,000

* Create innovative defensive security technology and give it to Microsoft $200,000 Priceless!

Stop using Windows

[Rix]

When should I expect my cheque?

Re:Stop using Windows

[freeze128]

When should I expect my cheque?

As soon as everyone stops using Windows.

Ha Ha, BURN!

Re:Stop using Windows

Everyone will stop using Windows now that Microsoft is publicly admitting that all their billions of dollars can't buy a decent security team, begging the public-at-large for help.

-- Ethanol-fueled

Re:Stop using Windows

I don't think they'll take this answer...

Start using Windows, on the other hand, might indeed be accepted by our Redmond judges.

Re:Stop using Windows

[gstrickler]

No, that approach fails to meet the contest terms. Use Windows, but only allow it to connect to a network (any network) through a proxy. The proxy is an *nix box running Windows in a VM, and each VM is only allowed to run a single Windows application. Multiple VMs can not communicate with each other, but they can share specific directories stored on the host (and of course, the host is performing malware scanning on those any files in those directories).

Think of the benefits. No more DLL hell (no apps fighting over incompatible DLLs), no access to other apps info. No direct network access, inbound or outbound. No spreading infected files or email to other machines. No zombies. No access to the MBR or BIOS.

Re:Stop using Windows

Thanks to it going through Windows Update, my botnet is spreading like wildfire.

Let's see who laughs last. :P

P.S.: I swear, the CAPTCHAs are always words from one of the comments at that time!

Re:Stop using Windows

[Korin43]

Everyone will stop using Windows now that Microsoft is publicly admitting that all their billions of dollars can't buy a decent security team, begging the public-at-large for help.

Clearly you've never met a Windows user. Microsoft could put viruses on their install CDs and publicly admit it, and people would still keep using it. In fact, after a couple years they'd start bragging about how much easier it is to get viruses on Windows ("Why do I get prompted for an administrator password before I can install viruses on Linux? It's so complicated!").

Re:A system and method for preventing virus infect

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

That's more likely to happen from a site containing malware, frankly.

Re:A system and method for preventing virus infect

[Baloroth]

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Wait, don't porn sites generally have the most malware?

I'll offer you

my Red Hat for your Blue Hat.

So what exactly does this entail

[Riceballsan]

I mean correct me if I'm wrong but it sounds like rather then actually plugging the holes that cause problems, they are looking for another antivirus equivalent to try and stop things once they fall into the holes? It sounds like a bug bounty system that doesn't want to actually involve fixing bugs.

Re:So what exactly does this entail

[h4rr4r]

This is what you get when MBAs run a company. They don't understand the problem so instead they what people to find a magic solution and for cheap.

Re:So what exactly does this entail

[gstrickler]

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

Re:So what exactly does this entail

[gweihir]

And that never, ever works. Pathetic MS publicity stunt, really. For this money you can get one reasonable smart and not too experienced person for a year. When doing a PhD at a good university, you need about that long to understand the problem area and formulate a research goal.

Re:So what exactly does this entail

[gweihir]

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

Indeed. And that is, from a security perspective, one of the most important arguments against Windows. They have a rather pathetic excuse for OS layer security. This is their main problem from a technological point of view. Of course, as MS does not care about technological excellence, this is also the predictable result and is the reason why a community effort, or really several ones, are now far, far ahead of them.

Re:So what exactly does this entail

A most brilliant insight. The more MBAs I meet, the more I think it means Manage Business Abysmally.

Is Microsoft fishing for hackers?

My solution would be equivalent to putting Microsoft in the Games folder and running any free operating system.

Like you guys said, one could net a lot more than $200k by solving the cancerous mal-ware that plagues MS systems for most users.

default deny

[symbolset]

That's going to be the most help. Make out the check to fsf. You're welcome.

How cheap of them!

Wow!

How CHEAP of them!

Only $200K for a technology that's going to make them hundreds of millions. I feel sorry for the sucker programmer who falls for this gag.

Re:How cheap of them!

[Locutus]

that's what I was thinking. They'll blow billions every 3 months on BING and have blown billions on Zune and Windows CE but when it comes to security for Windows, the product which allows them to spend/waste so many billions, they offer a $200k bounty if you qualify? As you said, "How CHEAP of them!".

Then again, it's probably just another PR stunt.

LoB

And thus MS misses the mark again

[subreality]

Like antivirus, and antimalware, they're trying to provide active defenses for when code tries to do something bad. ... but they continue to ignore the fact that the best defense is to not run bad code to begin with. They're so gung-ho on making it easy for the user to do what they want to do (which is an admirable enough goal) that we have:

• browsers that auto-install plugins
• Mailreaders that let you run attachments with a couple clicks
• Removable storage that auto-runs programs
• Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x
• Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

Instead they're trying to install laser-turrets to shoot down every incoming mosquito after it's already intruded into our secure zone. Sure, that's nice too, but it's not a substitute.

Re:And thus MS misses the mark again

All things which already happen in many Linux distros or could be made to happen with trivial effort.

Re:And thus MS misses the mark again

[subreality]

Except they don't. By using centralized package management, I don't have to run random binaries I downloaded to install things. I go into the package manager, and I know exactly what the implications are: it'll install a piece of software. If I don't like it, I uninstall it, and it does so cleanly.

I get flash through the package manager.
My mailreader doesn't let me directly execute programs (unless they're .exe which get run in Wine amusingly).
My removable storage doesn't auto-run.
Programs have to be chmod +x .

I do have the same vulnerability if I run a randomly downloaded program as root so it can go off and do whatever, and I don't have any better insight as to it's changes than I do in Windows. The key difference is that's an exceptionally rare thing to do in Linux, whereas it's an everyday occurrence in Windows.

Sure, these things *could* be made to happen, but they don't, because it's not a desirable way to do things. Since that's not how you normally install software, it doesn't make things difficult for users, except those who're used to the Windows way of doing things. From my own experience, my father came to me confused because he wanted to install a program, and had downloaded a half dozen things but couldn't get them to install. I showed him how to use the Ubuntu Software Center, and he won't stop raving about how wonderful it is.

Re:And thus MS misses the mark again

Windows hasn't done most of those things in quite some time, either. Vista/Windows 7 runs everyone under the context of a normal user. Plugins require a multiple step validation process to permit installation, many of them just flat out require external installers at this point. Outlook flat out blocks most attachments. The removable storage issues have been largely patched (and Windows is not the only OS with problems there these days.) And requiring the user to grant execution privileges to a binary is no different than a user-account control dialog. Just another singular pointless step that a mindless drone will do mindlessly.

Running all random applications as root died with Windows XP, at least once Windows XP realizes that it's dead.

As for the central installation repository, I agree that it would be very helpful. Unlike Ubuntu and other open source repositories Microsoft has a huge amount of liability as to what applications get what kind of billing and how. What if Office gets slightly more exposure than LibreOffice or if ModPlug comes up more often in searches than WinAmp? Microsoft can't just say "these are the approved applications" without that whetting the appetites of lawyers. And if MS were to implement a channel like this, even if it remained entirely optional with external arbitrary binaries still permitted, the entire Slashdot crowd would still cry foul, just like they do about every evil software restriction that you invent them enforcing.

Re:And thus MS misses the mark again

[0123456]

Running all random applications as root died with Windows XP, at least once Windows XP realizes that it's dead.

Yeah, now users have to click 'OK' when they see the box that says 'Hello Kitty Screensaver wants to: Access Hard Disk' before it can install its malware payload.

Re:And thus MS misses the mark again

browsers that auto-install plugins

That hasn't been true since the IE6 days.

Removable storage that auto-runs programs

That hasn't been true since the Windows 98/2K days (if ever, I don't remember). XP pre-SP1 didn't autorun USB programs. It put them in an autoplay box (removed in XP SP3).

Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x

You mean like the huge warning they get when downloading programs from the web? CLI doesn't exist for 99% of users.

Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

Android is the only operating system which has tackled this issue, and by most accounts it has failed at it.

Re:And thus MS misses the mark again

[kangsterizer]

im pretty sure they mean passive, real defenses here
that said 200 000 while its good for a small thing, its nothing if someone comes up with something groundbreaking.

Re:And thus MS misses the mark again

[subreality]

That hasn't been true since the IE6 days.

Take IE9 to a web page that wants a plugin, and you're about two clicks away from installing it.

You mean like the huge warning they get when downloading programs from the web? CLI doesn't exist for 99% of users.

Yes, I mean exactly that. The very *existence* of that dialog is the problem. The workflow for installing things on Windows means you have to do that. Doing it right doesn't mean writing a better warning message, because the user is solely focused on "what do I need to click to make it go" and isn't going to read the warning.

It doesn't mean you have to go to the CLI: right click, properties, permissions, executable, and then you run it. That's considered backward UI in Windows because you're making a routine task difficult... But my point is needing to execute downloaded binaries shouldn't be routine.

Android is the only operating system which has tackled this issue, and by most accounts it has failed at it.

At least they're trying. A few more cycles of the idea and we might get somewhere.

Re:And thus MS misses the mark again

It doesn't mean you have to go to the CLI: right click, properties, permissions, executable, and then you run it. That's considered backward UI in Windows because you're making a routine task difficult... But my point is needing to execute downloaded binaries shouldn't be routine.

Normal PC users have massive amounts of problems figuring out where a file downloaded, and how to deal with filesystems. If by some luck they do discover the download directory, they're lost because it's utterly swamped by 1,000 downloaded files.

Re:A system and method for preventing virus infect

it shocks the guy next to you

Drum tight setup

Disable all the external drives and ports and disable all the networking. I'll be collecting my check shortly.

Free ideas for the losers

The "winner" may get a check. The losers get their ideas tossed about at Microsoft with the possibility that a losing idea that has potential may be used in the future with nothing for "second place"

Re:Sit on your butts!

[hansraj]

Hey Bob, no talk of subluxation this time? Getting subtler in your trolling, eh?

Re:A system and method for preventing virus infect

Guess what battery's are in a Taser...

Back to their roots...

[Scarred+Intellect]

So Microsoft's big idea is to buy software that other people have made?

I suppose it's not a bad business model, buy something that someone else created and rebrand it to sell it yourself...I mean hey, it worked for them before, right?

But why can't the world's largest software company do this themselves? I understand the need for an "outsider" to have a different perspective, but it seems that they should still be able to do this themselves.

Almost 30 years, and you still suck at life. Way to go, Microsoft.

Re:Back to their roots...

You know you have a big company when they are castigated for not invented here syndrome AND for not inventing everything here.

Re:Back to their roots...

I bet if google came out with the same idea it would have been hailed as doing something good??

Yeah, just like Stacker...

Come up with a way to make security better and see if your material doesn't get stolen by M$?

M$ can be trusted to pay up, right?

Maybe you'll get a box of MS Word retail packages with a MSRP of $400 each instead of a check?

Re:Yeah, just like Stacker...

[Larryish]

Maybe you'll get a box of MS Word retail packages with a MSRP of $400 each instead of a check?

And then when you sell them on Ebay, MS will use the DMCA to have the auctions removed.

Re:Sit on your butts!

[gcnaddict]

The best computer defense is to TURN IT OFF!

First to permanently turn Bob's computer off will probably win the prize.

Show me the money

Don't thank Microsoft, thank Von Neumann Architecture for this problem. Can I just submit the Harvard architecture as a proposal and collect my 200k. Redesign how computers fundamentally use memory. (don't redesign, use what Harvard suggested 70 years ago) Can I have my money now?

Precedent

[BlueMikey]

This kind of contest worked pretty darn well for Netflix.

Pay to the order of?

[xactuary]

Be sure to make the check payable to Apple Inc. and not Apple Computer.

This just in...

The new security tech is reportedly called "Unix".

STOP HIDING FILE EXTENSIONS!

[dargndorp]

STOP HIDING FILE EXTENSIONS!

Really, this has got to be the premiere cause of users not gaining some semblance of understanding in the basics of Windows-based computing. Once users start seeing these little tags after the name of a file, everything becomes much easier to explain and suddenly users are undimmed, if not enlightened.

Re:STOP HIDING FILE EXTENSIONS!

[gstrickler]

Wait, you think users will even notice?

All joking aside, that is one of the defaults that I really hate on Windows. It's completely useless. It doesn't make things any clearer for non-technical users, in fact, it leaves them uninformed and oblivious, while at the same time, it makes extra work for more technical users and tech support.

Re:STOP HIDING FILE EXTENSIONS!

[dargndorp]

No, the default uninformed user won't notice.

However, and this is purely my perspective, once I've had a little talk with users when giving them the tour of their newly resurrected system, faces light up when I tell them that this little thingamajig after the filename is how Windows decides what type of file it is and what Windows thinks it can do with it. The gap to getting a grip on the whole systems seems (to me) to close quite a bit.

Amazingly, the "type" column in Windows Explorer seems not to work for users at all. In the ear, out the other.

Re:STOP HIDING FILE EXTENSIONS!

[gstrickler]

I agree, most users don't notice, and most understand quite well with a 1-2 minute explanation about what file extensions are and which ones are executable. I've supported hundreds of users, only had 1-2 who seemed to have any difficulty grasping the concept of file name extensions and the fundamental difference between executable files vs data files. Of course, when you have data files that can include scripts, macros, etc. the distinction gets blurred, but they do grasp the basics.

That is hilarious

That is a tiny carrot and a frivolous smack in the face for some of the brightest minds on the planet. That is cheap sourcing tech if there ever was cheapsourcing. The five best ideas and their authors should form their own company and charge Microsoft $22B annually to keep that company's systems and software portfolios safe.

Re:That is hilarious

How practical is that, considering that such a company would experience >100% turnover every couple of years as researchers age out of the "brightest minds" spot? I'm not sure whether you're more ignorant about what it takes to do defensive security or what it takes to actually operate a company, but either way, fail.

Re:A system and method for preventing virus infect

USB is positive 5 volts so your golden.

I have a brilliant suggestion

[IWantMoreSpamPlease]

Unplug the network cable.
Tada! Instant security.

Re:I have a brilliant suggestion

[ChipMonk]

Until you plug in that infected USB thumb drive.

Or that infected USB hard drive.

Or insert that CD that was made from the infected gold master.

how about stopping the attack before it starts.

[alienzed]

Option 1: Disable network connection. Now you can only hack yourself. Option 2: Nuke the world; cockroaches can't hack. Nobody, no problem. Please send the money to the address in my profile. Thx.

would you rather

In the face of mounting external pressure to begin paying bug bounties

get paid maybe $30,000 by microsoft for finding a bug
or create a piece of software that fixes a bug in windows and sell it at $5 a pop
(given the several hundred million user base)
guess which one microsoft would rather encourage

Meanwhile, elsewhere

[FlyveHest]

Valve is paying 1 million dollars for people playing a videogame.

What will Linus do with the money?

[Required+Snark]

Just asking.

Problem solved.

[Eric+S.+Smith]

They want to "defend against memory safety vulnerabilities?" I assume that they're talking about buffer overflows, if nothing else, and I can think of a couple of ways to prevent them: 1) non-von Neumann architecture; or, and here I'm going really crazy, I know, with an idea that'd disrupt the entire industry: 2) stop using bloody C.

Idea

[StripedCow]

Replace web browsers by virtual machines.

Rationale: web browsers are WAY too complicated to be ever secure; virtual machines, on the other hand need to support only a relatively small set of base instructions; as extra advantages, virtual machines are also more flexible and may relieve developers from the browser-compatibility headaches they've been having for years. Let's do it :)

A Blue Hat?

[bradorsomething]

I thought a Blue Hat was a Black Hat that couldn't get laid,

old school

[pbjones]

pocket calculator and a typewriter, and a fire-proof safe. These will cost you less than a reasonable PC and give you many years of service. Just send a couple of $1000 in real currency, none of the e-Money/net-money crap!

Caps

[Lorens]

Microsoft employed capability researcher Jonathan Shapiro for some time, but not any more. I wonder if that's because they decided it was too hard, unfeasible, never wanted caps at all, or some other reason. Caps would definitely be a way to defeat several if not most classes of bugs. In fact I have never encountered another method of computer security that seems credible.

WTF - Microsoft only pays 200k?

Ok, this is crazy. A billion dollar company wants a researcher to give up IP that will make them millions for 200k. Don't do it!

Nothing like working for M$ on Spec(ulation)

[theNAM666]

http://no-spec.com/ [no-spec.com]

This is no different. M$'s "prize" is less than it would cost to PAY people to conduct the equivalent research. This kind of "contest" which is really "exploitation" should be considered an(other) unfair labour practice.

Like if they need 'new' ideas...

... if instead they could just implement the decades old experiences encountered in the *nix/linux field into their architecture, and they would get somewhere. This is just a marketing ploy to distract from the fact that they are just plain _stupid_

point...

there is nothing more to it really... they could start by splitting up services into different users for example, as we did, what? About 20 years ago? And rethink their own design mistakes done over the last 30 years... but hey; it's microsoft, so dream on, they don't want to, just want to keep the illusion they're working on improvement while sitting on their license income! Innovation to them, that's for nerd, and dreamers, not practical...

America, where reasoning is trumped by stupidity.

I, as a greedy and malicious individual, love when 90% of the worlds computers can be compromised simply because of bad management decisions. Keep up the good work. Keep making my life easier.

Paying

[munky99999]

I'm paying $200,000 for your $1,000,000 working product... oh wait.

Have already LONG ago (HOSTS file engine)

A return to the "old" to combat the problems of "the new" & why, in combination with filtering DNS servers (vs. malware-in-general in most ALL forms) that use DNSBL's vs. them! I have done so for YEARS now (since 2002 in my older Delphi model, which used "brute force" dedup methods which was FINE on HOSTS files in those days that only MAYBE hit 16k lines - lately, they're a LOT larger than that, so I switched to a Python system my nephew & I co-wrote that processes MILLIONS @ a time & faster dedup algorithms in place is why because of Python's built in routines).

It does the following things:

---

1.) Data gather from reputable sources for HOSTS data (some listed below, not all though), DNSBL's too!

2.) Alphabetize the data

3.) Removes duplicates/normalizes the data

4.) Changes from the larger & slower 127.0.0.1 "loopback adapter address" to the just as compatible & faster 0.0.0.0 "blackhole routing" address instead

5.) Filtering vs. "problematic" sites that MAY 'disturb' some sites IF their adbanner servers are disrupted (YAHOO, AOL, MSN & quite a few others)

6.) Commits back (from a "temp/scratch" file) to the ORIGINAL HOSTS file for use by the system &/or apps (@ RPL 0/Ring 0/kernelmode level, FAR faster & more efficient than Ring 3/RPL 3/Usermode filtering solutions are mind you) by OVERWRITE, assuring CLEAN COPY & a pristine unaltered (by malware) HOSTS file!

---

My HOSTS file currently protects me vs.

Why? Ok, read on:

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Adblock blocks ads in only 1-2 browser family, but not all (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LIS

Well it would seem like...

"they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

Easy, M$. Open the source code files and let the rest of the world do your job for you.

Yes, it's called Open Source.

Silly Paperclip.

Re:A system and method for preventing virus infect

[rgviza]

You could reverse the polarity of the electrical connection :-p