Microsoft To Pay $200k Prize For New Security Tech

Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

$200,000

[wsxyz]

Awesome! That'll pay for 15 graduate students!

Re:$200,000

[bberens]

Awesome! That'll pay for 15 graduate students!

More like 15 graduate credits. Inflation gets you every time.

Re:$200,000

[gweihir]

In countries where PhD students are compensated reasonably (and hence are among the best), this does pay for about 1/4 of one PhD. For real results, MS would have to invest more like 5 Million. This is a stupid and pathetic publicity stunt.

It's worth a lot more than that

[blair1q]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Re:It's worth a lot more than that

[mushroommunk]

But then Microsoft will find some BS law stating that since it was developed in regards to this competition they own the product and require you to hand over your code....or worse.

Re:It's worth a lot more than that

[fishybell]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

The $200k is essentially the license fee for the idea to Microsoft. Not a great deal, but not a bad one either.

You can still sell the idea (and implementations) to whomever you desire (including Microsoft if they want to buy a better implementation).

The biggest problem I see is what happens if you win the MSDN subscription (no cash) or the $50k prize. The no money MSDN is an obvious bad deal on a potentially profitable product, and the $50k is likely a a very bad deal on a potentially profitable product. Microsoft will however likely not implement any one idea, but rather a collection of all ideas.

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Re:It's worth a lot more than that

[Jahava]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Cool, then the next-best one will win ... and so on. Either way, MS will get something useful for $200K, and in your best-case scenario lots of worthwhile products will be monetized to improve security.

Re:It's worth a lot more than that

[LifesABeach]

Maybe, but by m$ offering anything could easily be construed as Negotiation.

Re:It's worth a lot more than that

[sqlrob]

Not quite.

The promise of a potential $200K is the payment. It's a crappy deal. They can use any of the submissions, not just the winning ones.

Re:It's worth a lot more than that

[aztracker1]

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Seeing that their Security Essentials is better that the other free options, and many paid options, that may be bias speaking.

Re:It's worth a lot more than that

[Isaac+Remuant]

And this is why I think Contests make for one of the biggest legal scams of the internet age.

Some might turn out wonderful for the winners but beware of any resource provided by the organizers that might render your own work unusable (unless you win and only on their terms). If you intend on competing for a prize and not just using the experience make sure you read the terms and conditions multiple times and ask around in case of any ambiguities or you might end up feeling quite disenchanted.

Re:It's worth a lot more than that

[fishybell]

I love MSSE, but Microsoft bought it. It wasn't developed in-house so much as re-branded in-house.

That's an innovative approach..

And that's all I have to say about that.

Re:That's an innovative approach..

[erroneus]

If by innovative you mean "wrong" then yes, I agree.

Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication. They have it in their power to grow a culture of developers who are security conscious. And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it. Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be. But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE. And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

Re:That's an innovative approach..

[aztracker1]

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

If you wouldn't mind pointing out how Script engine exploits for the past 5 years or so have been worse than their major counterparts? It's been my understanding that Flash, Acrobat Reader and Java have been the main attack vectors, and this isn't limited to windows, or a specific browser. Don't get me wrong, having scripts run in email, let alone having it run in the "local" not the "untrusted" zone was a very stupid move in outlook and oe, but it really ism't 1999-2000 anymore.

It's the sites/services actively working to continue supporting IE6-7-8 that are the problem... We should all push the yellow banner at the top to older IE users. Like the 20 things I learned site does... same for firefox 3.5, and older safari and opera versions.

Re:That's an innovative approach..

[mikael]

1980's - biggest problem with MS-DOS computers was that anyone could delete and overwrite system files, especially in shared environments. It's really hard to believe now, but the standard PC didn't have any distinction between system files and user files except for the read-only, hidden and system file bits.
Boot sector viruses were the biggest worry, with sys-admins/help-desks having to continuously fix PC's.

On UNIX side, network worms were the biggest danger.

1990's - Microsoft "fixes" the problem with Windows systems through the use of the "registry", which was to put all important system information in one big hidden place. Separate User ID's and accounts were introduced to given some basic security, but PC owners just give all their new accounts system admin access in order to allow the downloading of games. Neither of these helped to stop the problem of malware.

If anything, having *hidden* compartments/directories/files on a system, only assists malware, by giving it places to hide data. Even deep directory paths and filenames with strange characters like * or # assist in this.

A system and method for preventing virus infection

[Compaqt]

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

in other news,

[theswimmingbird]

Linus Torvalds just opened a new bank account.

Re:A system and method for preventing virus infect

[grub]

A 5 volt shock... yeah, that'll teach 'em!
If they persist, fetch the dreaded 9 volt batteries from the armoury!

Makes sense to me.

[Petersko]

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Re:Makes sense to me.

[0123456]

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?

Re:Makes sense to me.

[Petersko]

"Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?"

It's only a better idea if they actually say yes.

Re:A system and method for preventing virus infect

[dragon-file]

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

I've always preferred positive over negative reinforcement.

Re:A system and method for preventing virus infect

[wsxyz]

So every time you click on a non-malware site, then.... what?

"focus their talents on defensive technologies"

"to defend against memory safety vulnerabilities"

Funny that they are restricting peoples talents like this. There may be better ways to defend against malware than this, which I don't think they are trying to defend against. It seems like this type of defensive vector might be more geared to DRM/TPM.

Re:"focus their talents on defensive technologies"

[hansraj]

The only person quoted in TFA, Katie Moussouris is a senior security strategist in Microsoft's Trustworthy Computing Group. So I'd say that you might not be way off the mark here.

Re:"focus their talents on defensive technologies"

[KNicolson]

Note that Trusted Computing (TPM etc) and Trustworthy Computing (secure coding etc) are very, very different things.

Re:A system and method for preventing virus infect

[biek]

A whoosh sound plays over the speakers.

Re:A system and method for preventing virus infect

[Meskarune]

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Re:A system and method for preventing virus infect

[Compaqt]

If only the USB people had allowed for 3-phase power in the original spec...

Stop using Windows

[Rix]

When should I expect my cheque?

Re:Stop using Windows

[freeze128]

When should I expect my cheque?

As soon as everyone stops using Windows.

Ha Ha, BURN!

Re:Stop using Windows

[gstrickler]

No, that approach fails to meet the contest terms. Use Windows, but only allow it to connect to a network (any network) through a proxy. The proxy is an *nix box running Windows in a VM, and each VM is only allowed to run a single Windows application. Multiple VMs can not communicate with each other, but they can share specific directories stored on the host (and of course, the host is performing malware scanning on those any files in those directories).

Think of the benefits. No more DLL hell (no apps fighting over incompatible DLLs), no access to other apps info. No direct network access, inbound or outbound. No spreading infected files or email to other machines. No zombies. No access to the MBR or BIOS.

Re:Stop using Windows

[Korin43]

Everyone will stop using Windows now that Microsoft is publicly admitting that all their billions of dollars can't buy a decent security team, begging the public-at-large for help.

Clearly you've never met a Windows user. Microsoft could put viruses on their install CDs and publicly admit it, and people would still keep using it. In fact, after a couple years they'd start bragging about how much easier it is to get viruses on Windows ("Why do I get prompted for an administrator password before I can install viruses on Linux? It's so complicated!").

Re:A system and method for preventing virus infect

[Baloroth]

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Wait, don't porn sites generally have the most malware?

So what exactly does this entail

[Riceballsan]

I mean correct me if I'm wrong but it sounds like rather then actually plugging the holes that cause problems, they are looking for another antivirus equivalent to try and stop things once they fall into the holes? It sounds like a bug bounty system that doesn't want to actually involve fixing bugs.

Re:So what exactly does this entail

[h4rr4r]

This is what you get when MBAs run a company. They don't understand the problem so instead they what people to find a magic solution and for cheap.

Re:So what exactly does this entail

[gstrickler]

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

Re:So what exactly does this entail

[gweihir]

And that never, ever works. Pathetic MS publicity stunt, really. For this money you can get one reasonable smart and not too experienced person for a year. When doing a PhD at a good university, you need about that long to understand the problem area and formulate a research goal.

Re:So what exactly does this entail

[gweihir]

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

Indeed. And that is, from a security perspective, one of the most important arguments against Windows. They have a rather pathetic excuse for OS layer security. This is their main problem from a technological point of view. Of course, as MS does not care about technological excellence, this is also the predictable result and is the reason why a community effort, or really several ones, are now far, far ahead of them.

default deny

[symbolset]

That's going to be the most help. Make out the check to fsf. You're welcome.

And thus MS misses the mark again

[subreality]

Like antivirus, and antimalware, they're trying to provide active defenses for when code tries to do something bad. ... but they continue to ignore the fact that the best defense is to not run bad code to begin with. They're so gung-ho on making it easy for the user to do what they want to do (which is an admirable enough goal) that we have:

• browsers that auto-install plugins
• Mailreaders that let you run attachments with a couple clicks
• Removable storage that auto-runs programs
• Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x
• Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

Instead they're trying to install laser-turrets to shoot down every incoming mosquito after it's already intruded into our secure zone. Sure, that's nice too, but it's not a substitute.

Re:And thus MS misses the mark again

[subreality]

Except they don't. By using centralized package management, I don't have to run random binaries I downloaded to install things. I go into the package manager, and I know exactly what the implications are: it'll install a piece of software. If I don't like it, I uninstall it, and it does so cleanly.

I get flash through the package manager.
My mailreader doesn't let me directly execute programs (unless they're .exe which get run in Wine amusingly).
My removable storage doesn't auto-run.
Programs have to be chmod +x .

I do have the same vulnerability if I run a randomly downloaded program as root so it can go off and do whatever, and I don't have any better insight as to it's changes than I do in Windows. The key difference is that's an exceptionally rare thing to do in Linux, whereas it's an everyday occurrence in Windows.

Sure, these things *could* be made to happen, but they don't, because it's not a desirable way to do things. Since that's not how you normally install software, it doesn't make things difficult for users, except those who're used to the Windows way of doing things. From my own experience, my father came to me confused because he wanted to install a program, and had downloaded a half dozen things but couldn't get them to install. I showed him how to use the Ubuntu Software Center, and he won't stop raving about how wonderful it is.

Re:And thus MS misses the mark again

[0123456]

Running all random applications as root died with Windows XP, at least once Windows XP realizes that it's dead.

Yeah, now users have to click 'OK' when they see the box that says 'Hello Kitty Screensaver wants to: Access Hard Disk' before it can install its malware payload.

Re:And thus MS misses the mark again

[kangsterizer]

im pretty sure they mean passive, real defenses here
that said 200 000 while its good for a small thing, its nothing if someone comes up with something groundbreaking.

Re:And thus MS misses the mark again

[subreality]

That hasn't been true since the IE6 days.

Take IE9 to a web page that wants a plugin, and you're about two clicks away from installing it.

You mean like the huge warning they get when downloading programs from the web? CLI doesn't exist for 99% of users.

Yes, I mean exactly that. The very *existence* of that dialog is the problem. The workflow for installing things on Windows means you have to do that. Doing it right doesn't mean writing a better warning message, because the user is solely focused on "what do I need to click to make it go" and isn't going to read the warning.

It doesn't mean you have to go to the CLI: right click, properties, permissions, executable, and then you run it. That's considered backward UI in Windows because you're making a routine task difficult... But my point is needing to execute downloaded binaries shouldn't be routine.

Android is the only operating system which has tackled this issue, and by most accounts it has failed at it.

At least they're trying. A few more cycles of the idea and we might get somewhere.

Re:Sit on your butts!

[hansraj]

Hey Bob, no talk of subluxation this time? Getting subtler in your trolling, eh?

Back to their roots...

[Scarred+Intellect]

So Microsoft's big idea is to buy software that other people have made?

I suppose it's not a bad business model, buy something that someone else created and rebrand it to sell it yourself...I mean hey, it worked for them before, right?

But why can't the world's largest software company do this themselves? I understand the need for an "outsider" to have a different perspective, but it seems that they should still be able to do this themselves.

Almost 30 years, and you still suck at life. Way to go, Microsoft.

Re:Back to their roots...

You know you have a big company when they are castigated for not invented here syndrome AND for not inventing everything here.

Re:Can I submit "Linux?"

[hansraj]

Even if this competition was about developing secure operating systems - which it is not - there are operating systems out there (though not in popular use) that are way more secure that Linux in implementation, design, or both.

Re:Sit on your butts!

[gcnaddict]

The best computer defense is to TURN IT OFF!

First to permanently turn Bob's computer off will probably win the prize.

Precedent

[BlueMikey]

This kind of contest worked pretty darn well for Netflix.

STOP HIDING FILE EXTENSIONS!

[dargndorp]

STOP HIDING FILE EXTENSIONS!

Really, this has got to be the premiere cause of users not gaining some semblance of understanding in the basics of Windows-based computing. Once users start seeing these little tags after the name of a file, everything becomes much easier to explain and suddenly users are undimmed, if not enlightened.

Re:STOP HIDING FILE EXTENSIONS!

[gstrickler]

Wait, you think users will even notice?

All joking aside, that is one of the defaults that I really hate on Windows. It's completely useless. It doesn't make things any clearer for non-technical users, in fact, it leaves them uninformed and oblivious, while at the same time, it makes extra work for more technical users and tech support.

Re:STOP HIDING FILE EXTENSIONS!

[dargndorp]

No, the default uninformed user won't notice.

However, and this is purely my perspective, once I've had a little talk with users when giving them the tour of their newly resurrected system, faces light up when I tell them that this little thingamajig after the filename is how Windows decides what type of file it is and what Windows thinks it can do with it. The gap to getting a grip on the whole systems seems (to me) to close quite a bit.

Amazingly, the "type" column in Windows Explorer seems not to work for users at all. In the ear, out the other.

Re:STOP HIDING FILE EXTENSIONS!

[gstrickler]

I agree, most users don't notice, and most understand quite well with a 1-2 minute explanation about what file extensions are and which ones are executable. I've supported hundreds of users, only had 1-2 who seemed to have any difficulty grasping the concept of file name extensions and the fundamental difference between executable files vs data files. Of course, when you have data files that can include scripts, macros, etc. the distinction gets blurred, but they do grasp the basics.

Re:How cheap of them!

[Locutus]

that's what I was thinking. They'll blow billions every 3 months on BING and have blown billions on Zune and Windows CE but when it comes to security for Windows, the product which allows them to spend/waste so many billions, they offer a $200k bounty if you qualify? As you said, "How CHEAP of them!".

Then again, it's probably just another PR stunt.

LoB

Re:Can I submit "Linux?"

[realityimpaired]

It's about ways to protect against bugs/exploits... specifically, about ways to protect against entire classes of bugs/exploits. In this case, they can learn a little from other systems, but it's not exactly innovative:

1. No running as administrative user. Make it impossible to modify anything that isn't in the home directory of the user without logging out, and logging back in as an administrator. Make it impossible to run an executable from the home directory unless you're running with admin privileges. Make it impossible to elevate permissions without logging out and back in as an administrator. Introduce a minor annoyance when you're running as administrator that will convince users to log out and run as a regular user... something like disabling the sound card when you're running as admin coupled with a screen overlay reminding users that they're running as admin, and disabling aero/screen graphics effects.
2. Set the default to have all ports closed, and to ignore ICMP packets.
3. Make it impossible for programs to open up incoming ports on the consumer version of the OS.

That won't prevent idiots from getting themselves infected... it's pretty well impossible to prevent idiots from getting themselves infected without removing the ability to expand on the factory configuration. It will, however, help protect against the majority of virus vectors currently in use. It'll also annoy users enough that they'll drop Microsoft like a used kleenex, and wouldn't make good business sense for them.

I have a brilliant suggestion

[IWantMoreSpamPlease]

Unplug the network cable.
Tada! Instant security.

Re:I have a brilliant suggestion

[ChipMonk]

Until you plug in that infected USB thumb drive.

Or that infected USB hard drive.

Or insert that CD that was made from the infected gold master.

Re:Yeah, just like Stacker...

[Larryish]

Maybe you'll get a box of MS Word retail packages with a MSRP of $400 each instead of a check?

And then when you sell them on Ebay, MS will use the DMCA to have the auctions removed.

how about stopping the attack before it starts.

[alienzed]

Option 1: Disable network connection. Now you can only hack yourself. Option 2: Nuke the world; cockroaches can't hack. Nobody, no problem. Please send the money to the address in my profile. Thx.

Meanwhile, elsewhere

[FlyveHest]

Valve is paying 1 million dollars for people playing a videogame.

What will Linus do with the money?

[Required+Snark]

Just asking.

Problem solved.

[Eric+S.+Smith]

They want to "defend against memory safety vulnerabilities?" I assume that they're talking about buffer overflows, if nothing else, and I can think of a couple of ways to prevent them: 1) non-von Neumann architecture; or, and here I'm going really crazy, I know, with an idea that'd disrupt the entire industry: 2) stop using bloody C.

Idea

[StripedCow]

Replace web browsers by virtual machines.

Rationale: web browsers are WAY too complicated to be ever secure; virtual machines, on the other hand need to support only a relatively small set of base instructions; as extra advantages, virtual machines are also more flexible and may relieve developers from the browser-compatibility headaches they've been having for years. Let's do it :)

A Blue Hat?

[bradorsomething]

I thought a Blue Hat was a Black Hat that couldn't get laid,

old school

[pbjones]

pocket calculator and a typewriter, and a fire-proof safe. These will cost you less than a reasonable PC and give you many years of service. Just send a couple of $1000 in real currency, none of the e-Money/net-money crap!

Caps

[Lorens]

Microsoft employed capability researcher Jonathan Shapiro for some time, but not any more. I wonder if that's because they decided it was too hard, unfeasible, never wanted caps at all, or some other reason. Caps would definitely be a way to defeat several if not most classes of bugs. In fact I have never encountered another method of computer security that seems credible.

Nothing like working for M$ on Spec(ulation)

[theNAM666]

http://no-spec.com/ [no-spec.com]

This is no different. M$'s "prize" is less than it would cost to PAY people to conduct the equivalent research. This kind of "contest" which is really "exploitation" should be considered an(other) unfair labour practice.

Paying

[munky99999]

I'm paying $200,000 for your $1,000,000 working product... oh wait.

Re:A system and method for preventing virus infect

[rgviza]

You could reverse the polarity of the electrical connection :-p