Microsoft To Pay $200k Prize For New Security Tech

Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

$200,000

[wsxyz]

Awesome! That'll pay for 15 graduate students!

Re:

[bberens]

Awesome! That'll pay for 15 graduate students!

More like 15 graduate credits. Inflation gets you every time.

Re:

[gweihir]

In countries where PhD students are compensated reasonably (and hence are among the best), this does pay for about 1/4 of one PhD. For real results, MS would have to invest more like 5 Million. This is a stupid and pathetic publicity stunt.

It's worth a lot more than that

[blair1q]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Re:

[mushroommunk]

But then Microsoft will find some BS law stating that since it was developed in regards to this competition they own the product and require you to hand over your code....or worse.

Re:

[LifesABeach]

Maybe, but by m$ offering anything could easily be construed as Negotiation.

Re:

[fishybell]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

The $200k is essentially the license fee for the idea to Microsoft. Not a great deal, but not a bad one either.

You can still sell the idea (and implementations) to whomever you desire (including Microsoft if they want to buy a better implementation).

The biggest problem I see is what happens if you win the MSDN subscription (no cash) or the $50k prize. The no money MSDN is an obvious bad deal on a potentially profitable product, and the $50k is likely a a very bad deal on a potentially profitable product

Re:

[sqlrob]

Not quite.

The promise of a potential $200K is the payment. It's a crappy deal. They can use any of the submissions, not just the winning ones.

Re:

[Isaac Remuant]

And this is why I think Contests make for one of the biggest legal scams of the internet age.

Some might turn out wonderful for the winners but beware of any resource provided by the organizers that might render your own work unusable (unless you win and only on their terms). If you intend on competing for a prize and not just using the experience make sure you read the terms and conditions multiple times and ask around in case of any ambiguities or you might end up feeling quite disenchanted.

Re:

[aztracker1]

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Seeing that their Security Essentials is better that the other free options, and many paid options, that may be bias speaking.

Re:

[fishybell]

I love MSSE, but Microsoft bought it. It wasn't developed in-house so much as re-branded in-house.

Re:

[Jahava]

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Cool, then the next-best one will win ... and so on. Either way, MS will get something useful for $200K, and in your best-case scenario lots of worthwhile products will be monetized to improve security.

That's an innovative approach..

[Anonymous Coward]

And that's all I have to say about that.

Re:That's an innovative approach..

[erroneus]

If by innovative you mean "wrong" then yes, I agree.

Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication. They have it in their power to grow a culture of developers who are security conscious. And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it. Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be. But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE. And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

Re:

[mikael]

1980's - biggest problem with MS-DOS computers was that anyone could delete and overwrite system files, especially in shared environments. It's really hard to believe now, but the standard PC didn't have any distinction between system files and user files except for the read-only, hidden and system file bits.
Boot sector viruses were the biggest worry, with sys-admins/help-desks having to continuously fix PC's.

On UNIX side, network worms were the biggest danger.

1990's - Microsoft "fixes" the problem with Win

Re:

[aztracker1]

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

If you wouldn't mind pointing out how Script engine exploits for the past 5 years or so have been worse than their major counterparts? It's been my understanding that Flash, Acrobat Reader and Java have been the main attack vectors, and this isn't limited to windows, or a specific browser. Don't get me wrong, having scripts run in email, let alone having it run in the "local" not the "untrusted" zone was a very stupid move in outlook and oe, but it really ism't 1999-2000 anymore.

It's the sites/services

A system and method for preventing virus infection

[Compaqt]

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

Re:

[grub]

A 5 volt shock... yeah, that'll teach 'em!
If they persist, fetch the dreaded 9 volt batteries from the armoury!

Re:

[Compaqt]

If only the USB people had allowed for 3-phase power [3phasepower.org] in the original spec...

Re:A system and method for preventing virus infect

[dragon-file]

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

I've always preferred positive over negative reinforcement.

Re:

[wsxyz]

So every time you click on a non-malware site, then.... what?

Re:

[biek]

A whoosh sound plays over the speakers.

Re:

[Meskarune]

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Re:

[Baloroth]

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Wait, don't porn sites generally have the most malware?

Re:

[rgviza]

You could reverse the polarity of the electrical connection :-p

in other news,

[theswimmingbird]

Linus Torvalds just opened a new bank account.

Re:

[hansraj]

Even if this competition was about developing secure operating systems - which it is not - there are operating systems out there (though not in popular use) that are way more secure that Linux in implementation, design, or both.

Re:

[realityimpaired]

It's about ways to protect against bugs/exploits... specifically, about ways to protect against entire classes of bugs/exploits. In this case, they can learn a little from other systems, but it's not exactly innovative:

1. No running as administrative user. Make it impossible to modify anything that isn't in the home directory of the user without logging out, and logging back in as an administrator. Make it impossible to run an executable from the home directory unless you're running with admin privileges. M

Makes sense to me.

[Petersko]

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Re:

[0123456]

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?

Re:

[Petersko]

"Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?"

It's only a better idea if they actually say yes.

"focus their talents on defensive technologies"

[Anonymous Coward]

"to defend against memory safety vulnerabilities"

Funny that they are restricting peoples talents like this. There may be better ways to defend against malware than this, which I don't think they are trying to defend against. It seems like this type of defensive vector might be more geared to DRM/TPM.

Re:"focus their talents on defensive technologies"

[hansraj]

The only person quoted in TFA, Katie Moussouris is a senior security strategist in Microsoft's Trustworthy Computing Group. So I'd say that you might not be way off the mark here.

Re:

[KNicolson]

Note that Trusted Computing (TPM etc) and Trustworthy Computing (secure coding etc) are very, very different things.

Stop using Windows

[Rix]

When should I expect my cheque?

Re:

[freeze128]

When should I expect my cheque?

As soon as everyone stops using Windows.

Ha Ha, BURN!

Re:

[Korin43]

Everyone will stop using Windows now that Microsoft is publicly admitting that all their billions of dollars can't buy a decent security team, begging the public-at-large for help.

Clearly you've never met a Windows user. Microsoft could put viruses on their install CDs and publicly admit it, and people would still keep using it. In fact, after a couple years they'd start bragging about how much easier it is to get viruses on Windows ("Why do I get prompted for an administrator password before I can install viruses on Linux? It's so complicated!").

Re:

[gstrickler]

No, that approach fails to meet the contest terms. Use Windows, but only allow it to connect to a network (any network) through a proxy. The proxy is an *nix box running Windows in a VM, and each VM is only allowed to run a single Windows application. Multiple VMs can not communicate with each other, but they can share specific directories stored on the host (and of course, the host is performing malware scanning on those any files in those directories).

Think of the benefits. No more DLL hell (no apps fight

So what exactly does this entail

[Riceballsan]

I mean correct me if I'm wrong but it sounds like rather then actually plugging the holes that cause problems, they are looking for another antivirus equivalent to try and stop things once they fall into the holes? It sounds like a bug bounty system that doesn't want to actually involve fixing bugs.

Re:

[h4rr4r]

This is what you get when MBAs run a company. They don't understand the problem so instead they what people to find a magic solution and for cheap.

Re:

[gweihir]

And that never, ever works. Pathetic MS publicity stunt, really. For this money you can get one reasonable smart and not too experienced person for a year. When doing a PhD at a good university, you need about that long to understand the problem area and formulate a research goal.

Re:

[gstrickler]

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional laye

Re:

[gweihir]

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

Indeed. And that is, from a security perspective, one of the most important arguments against Windows. They have a rather pathetic excuse for OS layer security. This is their main problem from a technological point of view. Of course, as MS does not care about technological excellence, this is also the predictable result and is the reason why a community effort, or really several ones, are now far, far ahead of them.

default deny

[symbolset]

That's going to be the most help. Make out the check to fsf. You're welcome.

Re:

[Locutus]

that's what I was thinking. They'll blow billions every 3 months on BING and have blown billions on Zune and Windows CE but when it comes to security for Windows, the product which allows them to spend/waste so many billions, they offer a $200k bounty if you qualify? As you said, "How CHEAP of them!".

Then again, it's probably just another PR stunt.

LoB

And thus MS misses the mark again

[subreality]

Like antivirus, and antimalware, they're trying to provide active defenses for when code tries to do something bad. ... but they continue to ignore the fact that the best defense is to not run bad code to begin with. They're so gung-ho on making it easy for the user to do what they want to do (which is an admirable enough goal) that we have:

• browsers that auto-install plugins
• Mailreaders that let you run attachments with a couple clicks
• Removable storage that auto-runs programs
• Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x
• Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

Instead they're trying to install laser-turrets to shoot down every incoming mosquito after it's already intruded into our secure zone. Sure, that's nice too, but it's not a substitute.

Re:

[subreality]

Except they don't. By using centralized package management, I don't have to run random binaries I downloaded to install things. I go into the package manager, and I know exactly what the implications are: it'll install a piece of software. If I don't like it, I uninstall it, and it does so cleanly.

I get flash through the package manager.
My mailreader doesn't let me directly execute programs (unless they're .exe which get run in Wine amusingly).
My removable storage doesn't auto-run.
Programs have to be chm

Re:

[0123456]

Running all random applications as root died with Windows XP, at least once Windows XP realizes that it's dead.

Yeah, now users have to click 'OK' when they see the box that says 'Hello Kitty Screensaver wants to: Access Hard Disk' before it can install its malware payload.

Re:

[subreality]

That hasn't been true since the IE6 days.

Take IE9 to a web page that wants a plugin, and you're about two clicks away from installing it.

You mean like the huge warning they get when downloading programs from the web? CLI doesn't exist for 99% of users.

Yes, I mean exactly that. The very *existence* of that dialog is the problem. The workflow for installing things on Windows means you have to do that. Doing it right doesn't mean writing a better warning message, because the user is solely focused on "what do I need to click to make it go" and isn't going to read the warning.

It doesn't mean you have to go to the CLI: right click, properties, permissions, execu

Re:

[kangsterizer]

im pretty sure they mean passive, real defenses here
that said 200 000 while its good for a small thing, its nothing if someone comes up with something groundbreaking.

Back to their roots...

[Scarred Intellect]

So Microsoft's big idea is to buy software that other people have made?

I suppose it's not a bad business model, buy something that someone else created and rebrand it to sell it yourself...I mean hey, it worked for them before, right?

But why can't the world's largest software company do this themselves? I understand the need for an "outsider" to have a different perspective, but it seems that they should still be able to do this themselves.

Almost 30 years, and you still suck at life. Way to go, Microsoft.

Re:

[Anonymous Coward]

You know you have a big company when they are castigated for not invented here syndrome AND for not inventing everything here.

Re:

[Larryish]

Maybe you'll get a box of MS Word retail packages with a MSRP of $400 each instead of a check?

And then when you sell them on Ebay, MS will use the DMCA to have the auctions removed.

Precedent

[BlueMikey]

This kind of contest worked pretty darn well for Netflix.

STOP HIDING FILE EXTENSIONS!

[dargndorp]

STOP HIDING FILE EXTENSIONS!

Really, this has got to be the premiere cause of users not gaining some semblance of understanding in the basics of Windows-based computing. Once users start seeing these little tags after the name of a file, everything becomes much easier to explain and suddenly users are undimmed, if not enlightened.

Re:

[gstrickler]

Wait, you think users will even notice?

All joking aside, that is one of the defaults that I really hate on Windows. It's completely useless. It doesn't make things any clearer for non-technical users, in fact, it leaves them uninformed and oblivious, while at the same time, it makes extra work for more technical users and tech support.

Re:

[dargndorp]

No, the default uninformed user won't notice.

However, and this is purely my perspective, once I've had a little talk with users when giving them the tour of their newly resurrected system, faces light up when I tell them that this little thingamajig after the filename is how Windows decides what type of file it is and what Windows thinks it can do with it. The gap to getting a grip on the whole systems seems (to me) to close quite a bit.

Amazingly, the "type" column in Windows Explorer seems not to work for

Re:

[gstrickler]

I agree, most users don't notice, and most understand quite well with a 1-2 minute explanation about what file extensions are and which ones are executable. I've supported hundreds of users, only had 1-2 who seemed to have any difficulty grasping the concept of file name extensions and the fundamental difference between executable files vs data files. Of course, when you have data files that can include scripts, macros, etc. the distinction gets blurred, but they do grasp the basics.

I have a brilliant suggestion

[IWantMoreSpamPlease]

Unplug the network cable.
Tada! Instant security.

Re:

[ChipMonk]

Until you plug in that infected USB thumb drive.

Or that infected USB hard drive.

Or insert that CD that was made from the infected gold master.

how about stopping the attack before it starts.

[alienzed]

Option 1: Disable network connection. Now you can only hack yourself. Option 2: Nuke the world; cockroaches can't hack. Nobody, no problem. Please send the money to the address in my profile. Thx.

Meanwhile, elsewhere

[FlyveHest]

Valve is paying 1 million dollars for people playing a videogame.

What will Linus do with the money?

[Required Snark]

Just asking.

Problem solved.

[Eric S. Smith]

They want to "defend against memory safety vulnerabilities?" I assume that they're talking about buffer overflows, if nothing else, and I can think of a couple of ways to prevent them: 1) non-von Neumann architecture; or, and here I'm going really crazy, I know, with an idea that'd disrupt the entire industry: 2) stop using bloody C.

Idea

[StripedCow]

Replace web browsers by virtual machines.

Rationale: web browsers are WAY too complicated to be ever secure; virtual machines, on the other hand need to support only a relatively small set of base instructions; as extra advantages, virtual machines are also more flexible and may relieve developers from the browser-compatibility headaches they've been having for years. Let's do it :)

A Blue Hat?

[bradorsomething]

I thought a Blue Hat was a Black Hat that couldn't get laid,

old school

[pbjones]

pocket calculator and a typewriter, and a fire-proof safe. These will cost you less than a reasonable PC and give you many years of service. Just send a couple of $1000 in real currency, none of the e-Money/net-money crap!

Caps

[Lorens]

Microsoft employed capability researcher Jonathan Shapiro for some time, but not any more. I wonder if that's because they decided it was too hard, unfeasible, never wanted caps at all, or some other reason. Caps would definitely be a way to defeat several if not most classes of bugs. In fact I have never encountered another method of computer security that seems credible.

Nothing like working for M$ on Spec(ulation)

[theNAM666]

http://no-spec.com/ [no-spec.com] [no-spec.com]

This is no different. M$'s "prize" is less than it would cost to PAY people to conduct the equivalent research. This kind of "contest" which is really "exploitation" should be considered an(other) unfair labour practice.

Paying

[munky99999]

I'm paying $200,000 for your $1,000,000 working product... oh wait.

Re:

[hansraj]

Hey Bob, no talk of subluxation this time? Getting subtler in your trolling, eh?

Re:

[gcnaddict]

The best computer defense is to TURN IT OFF!

First to permanently turn Bob's computer off will probably win the prize.