Forgot your password?
typodupeerror
Microsoft Security The Almighty Buck IT

Microsoft To Pay $200k Prize For New Security Tech 111

Posted by samzenpus
from the making-a-little-pocket-money dept.
Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."
This discussion has been archived. No new comments can be posted.

Microsoft To Pay $200k Prize For New Security Tech

Comments Filter:
  • Awesome! That'll pay for 15 graduate students!
    • by bberens (965711)

      Awesome! That'll pay for 15 graduate students!

      More like 15 graduate credits. Inflation gets you every time.

    • by gweihir (88907)

      In countries where PhD students are compensated reasonably (and hence are among the best), this does pay for about 1/4 of one PhD. For real results, MS would have to invest more like 5 Million. This is a stupid and pathetic publicity stunt.

  • by blair1q (305137) on Wednesday August 03, 2011 @02:50PM (#36975558) Journal

    If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

    • But then Microsoft will find some BS law stating that since it was developed in regards to this competition they own the product and require you to hand over your code....or worse.
    • by fishybell (516991)

      If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

      The $200k is essentially the license fee for the idea to Microsoft. Not a great deal, but not a bad one either.

      You can still sell the idea (and implementations) to whomever you desire (including Microsoft if they want to buy a better implementation).

      The biggest problem I see is what happens if you win the MSDN subscription (no cash) or the $50k prize. The no money MSDN is an obvious bad deal on a potentially profitable product, and the $50k is likely a a very bad deal on a potentially profitable product

      • by sqlrob (173498)

        Not quite.

        The promise of a potential $200K is the payment. It's a crappy deal. They can use any of the submissions, not just the winning ones.

        • And this is why I think Contests make for one of the biggest legal scams of the internet age.

          Some might turn out wonderful for the winners but beware of any resource provided by the organizers that might render your own work unusable (unless you win and only on their terms). If you intend on competing for a prize and not just using the experience make sure you read the terms and conditions multiple times and ask around in case of any ambiguities or you might end up feeling quite disenchanted.

      • You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

        Seeing that their Security Essentials is better that the other free options, and many paid options, that may be bias speaking.

        • by fishybell (516991)
          I love MSSE, but Microsoft bought it. It wasn't developed in-house so much as re-branded in-house.
    • by Jahava (946858)

      If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

      Cool, then the next-best one will win ... and so on. Either way, MS will get something useful for $200K, and in your best-case scenario lots of worthwhile products will be monetized to improve security.

  • by Anonymous Coward

    And that's all I have to say about that.

    • by erroneus (253617) on Wednesday August 03, 2011 @03:28PM (#36975932) Homepage

      If by innovative you mean "wrong" then yes, I agree.

      Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication. They have it in their power to grow a culture of developers who are security conscious. And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it. Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be. But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE. And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

      It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

      Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

      • It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

        If you wouldn't mind pointing out how Script engine exploits for the past 5 years or so have been worse than their major counterparts? It's been my understanding that Flash, Acrobat Reader and Java have been the main attack vectors, and this isn't limited to windows, or a specific browser. Don't get me wrong, having scripts run in email, let alone having it run in the "local" not the "untrusted" zone was a very stupid move in outlook and oe, but it really ism't 1999-2000 anymore.

        It's the sites/services

  • Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

  • Linus Torvalds just opened a new bank account.
  • It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.
    • by 0123456 (636235)

      It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

      Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?

      • by Petersko (564140)
        "Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?"

        It's only a better idea if they actually say yes.
  • by Anonymous Coward

    "to defend against memory safety vulnerabilities"

    Funny that they are restricting peoples talents like this. There may be better ways to defend against malware than this, which I don't think they are trying to defend against. It seems like this type of defensive vector might be more geared to DRM/TPM.

  • Stop using Windows (Score:4, Insightful)

    by Rix (54095) on Wednesday August 03, 2011 @03:05PM (#36975736)

    When should I expect my cheque?

    • by freeze128 (544774)

      When should I expect my cheque?

      As soon as everyone stops using Windows.

      Ha Ha, BURN!

    • No, that approach fails to meet the contest terms. Use Windows, but only allow it to connect to a network (any network) through a proxy. The proxy is an *nix box running Windows in a VM, and each VM is only allowed to run a single Windows application. Multiple VMs can not communicate with each other, but they can share specific directories stored on the host (and of course, the host is performing malware scanning on those any files in those directories).

      Think of the benefits. No more DLL hell (no apps fight

  • by Riceballsan (816702) on Wednesday August 03, 2011 @03:08PM (#36975760)
    I mean correct me if I'm wrong but it sounds like rather then actually plugging the holes that cause problems, they are looking for another antivirus equivalent to try and stop things once they fall into the holes? It sounds like a bug bounty system that doesn't want to actually involve fixing bugs.
    • by h4rr4r (612664)

      This is what you get when MBAs run a company. They don't understand the problem so instead they what people to find a magic solution and for cheap.

      • by gweihir (88907)

        And that never, ever works. Pathetic MS publicity stunt, really. For this money you can get one reasonable smart and not too experienced person for a year. When doing a PhD at a good university, you need about that long to understand the problem area and formulate a research goal.

    • Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional laye
      • by gweihir (88907)

        Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

        Indeed. And that is, from a security perspective, one of the most important arguments against Windows. They have a rather pathetic excuse for OS layer security. This is their main problem from a technological point of view. Of course, as MS does not care about technological excellence, this is also the predictable result and is the reason why a community effort, or really several ones, are now far, far ahead of them.

  • That's going to be the most help. Make out the check to fsf. You're welcome.
  • by subreality (157447) on Wednesday August 03, 2011 @03:18PM (#36975838)

    Like antivirus, and antimalware, they're trying to provide active defenses for when code tries to do something bad. ... but they continue to ignore the fact that the best defense is to not run bad code to begin with. They're so gung-ho on making it easy for the user to do what they want to do (which is an admirable enough goal) that we have:

    • browsers that auto-install plugins
    • Mailreaders that let you run attachments with a couple clicks
    • Removable storage that auto-runs programs
    • Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x
    • Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

    Instead they're trying to install laser-turrets to shoot down every incoming mosquito after it's already intruded into our secure zone. Sure, that's nice too, but it's not a substitute.

    • im pretty sure they mean passive, real defenses here
      that said 200 000 while its good for a small thing, its nothing if someone comes up with something groundbreaking.

  • So Microsoft's big idea is to buy software that other people have made?

    I suppose it's not a bad business model, buy something that someone else created and rebrand it to sell it yourself...I mean hey, it worked for them before, right?

    But why can't the world's largest software company do this themselves? I understand the need for an "outsider" to have a different perspective, but it seems that they should still be able to do this themselves.

    Almost 30 years, and you still suck at life. Way to go, Microsoft.

    • by Anonymous Coward

      You know you have a big company when they are castigated for not invented here syndrome AND for not inventing everything here.

  • This kind of contest worked pretty darn well for Netflix.
  • STOP HIDING FILE EXTENSIONS!

    Really, this has got to be the premiere cause of users not gaining some semblance of understanding in the basics of Windows-based computing. Once users start seeing these little tags after the name of a file, everything becomes much easier to explain and suddenly users are undimmed, if not enlightened.

    • Wait, you think users will even notice?

      All joking aside, that is one of the defaults that I really hate on Windows. It's completely useless. It doesn't make things any clearer for non-technical users, in fact, it leaves them uninformed and oblivious, while at the same time, it makes extra work for more technical users and tech support.

      • by dargndorp (939841)

        No, the default uninformed user won't notice.

        However, and this is purely my perspective, once I've had a little talk with users when giving them the tour of their newly resurrected system, faces light up when I tell them that this little thingamajig after the filename is how Windows decides what type of file it is and what Windows thinks it can do with it. The gap to getting a grip on the whole systems seems (to me) to close quite a bit.

        Amazingly, the "type" column in Windows Explorer seems not to work for

        • I agree, most users don't notice, and most understand quite well with a 1-2 minute explanation about what file extensions are and which ones are executable. I've supported hundreds of users, only had 1-2 who seemed to have any difficulty grasping the concept of file name extensions and the fundamental difference between executable files vs data files. Of course, when you have data files that can include scripts, macros, etc. the distinction gets blurred, but they do grasp the basics.
  • Unplug the network cable.
    Tada! Instant security.

    • by ChipMonk (711367)
      Until you plug in that infected USB thumb drive.

      Or that infected USB hard drive.

      Or insert that CD that was made from the infected gold master.
  • Option 1: Disable network connection. Now you can only hack yourself. Option 2: Nuke the world; cockroaches can't hack. Nobody, no problem. Please send the money to the address in my profile. Thx.
  • Valve is paying 1 million dollars for people playing a videogame.

  • They want to "defend against memory safety vulnerabilities?" I assume that they're talking about buffer overflows, if nothing else, and I can think of a couple of ways to prevent them: 1) non-von Neumann architecture; or, and here I'm going really crazy, I know, with an idea that'd disrupt the entire industry: 2) stop using bloody C.

  • Replace web browsers by virtual machines.

    Rationale: web browsers are WAY too complicated to be ever secure; virtual machines, on the other hand need to support only a relatively small set of base instructions; as extra advantages, virtual machines are also more flexible and may relieve developers from the browser-compatibility headaches they've been having for years. Let's do it :)

  • I thought a Blue Hat was a Black Hat that couldn't get laid,
  • pocket calculator and a typewriter, and a fire-proof safe. These will cost you less than a reasonable PC and give you many years of service. Just send a couple of $1000 in real currency, none of the e-Money/net-money crap!

  • by Lorens (597774)
    Microsoft employed capability researcher Jonathan Shapiro for some time, but not any more. I wonder if that's because they decided it was too hard, unfeasible, never wanted caps at all, or some other reason. Caps would definitely be a way to defeat several if not most classes of bugs. In fact I have never encountered another method of computer security that seems credible.
  • http://no-spec.com/ [no-spec.com] [no-spec.com]

    This is no different. M$'s "prize" is less than it would cost to PAY people to conduct the equivalent research. This kind of "contest" which is really "exploitation" should be considered an(other) unfair labour practice.

  • I'm paying $200,000 for your $1,000,000 working product... oh wait.

Never try to teach a pig to sing. It wastes your time and annoys the pig. -- Lazarus Long, "Time Enough for Love"

Working...