Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft To Pay $200k Prize For New Security Tech

samzenpus posted about 3 years ago | from the making-a-little-pocket-money dept.

Microsoft 111

Trailrunner7 writes "In the face of mounting external pressure to begin paying bug bounties, Microsoft is instead launching a new program that will pay a $200,000 top prize to a security researcher who develops the most innovative defensive security technology. The program is designed to 'inspire researchers to focus their talents on defensive technologies,' the company said. Known as the Blue Hat Prize, after the company's regular internal research conferences, the program will focus in its first year on getting researchers to design a novel runtime technology to defend against memory safety vulnerabilities. Microsoft security officials said that rather than paying for individual bugs the way that some other companies such as Google, Mozilla and others do, they wanted to encourage researchers to think about ways to defeat entire classes of bugs."

cancel ×

111 comments

Sorry! There are no comments related to the filter you selected.

$200,000 (1)

wsxyz (543068) | about 3 years ago | (#36975554)

Awesome! That'll pay for 15 graduate students!

Re:$200,000 (1)

bberens (965711) | about 3 years ago | (#36975800)

Awesome! That'll pay for 15 graduate students!

More like 15 graduate credits. Inflation gets you every time.

Re:$200,000 (0)

Anonymous Coward | about 3 years ago | (#36975882)

I was gonna go the other way. Note he said "that'll pay for 15 graduate students" not "that'll pay for 15 people to go to graduate school". These days I'm pretty sure you can buy a graduate student for like $10 tops.

Re:$200,000 (0)

Anonymous Coward | about 3 years ago | (#36977144)

I give you the "Air Gap" some might say it's vapour ware but I think it will work!

Re:$200,000 (1)

gweihir (88907) | about 3 years ago | (#36979880)

In countries where PhD students are compensated reasonably (and hence are among the best), this does pay for about 1/4 of one PhD. For real results, MS would have to invest more like 5 Million. This is a stupid and pathetic publicity stunt.

Sit on your butts! (1, Offtopic)

Dr.Bob,DC (2076168) | about 3 years ago | (#36975556)


I can't understand why Microsoft would want to create a contest to promote people to sit on their butts for even longer than we do! This has no practical purpose, unlike Bill Gates' plan to bring toilets to the Third World. That's butt-sitting, yes, but it will help poorly managed nervous systems from being overrun by diseases like Cholera. If those people followed a strict vegan diet, their feces would help flush disease from their system.

The best computer defense is to TURN IT OFF!

Get plenty of exercise

Get plenty of sleep

Eat well, preferably an organic, vegan diet

Receive spinal adjustments to ensure your nervous system is in tip-top shape!

Take care,
Bob

Re:Sit on your butts! (1)

hansraj (458504) | about 3 years ago | (#36975898)

Hey Bob, no talk of subluxation this time? Getting subtler in your trolling, eh?

Re:Sit on your butts! (1)

gcnaddict (841664) | about 3 years ago | (#36975984)

The best computer defense is to TURN IT OFF!

First to permanently turn Bob's computer off will probably win the prize.

It's worth a lot more than that (4, Insightful)

blair1q (305137) | about 3 years ago | (#36975558)

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Re:It's worth a lot more than that (1)

mushroommunk (2427574) | about 3 years ago | (#36975758)

But then Microsoft will find some BS law stating that since it was developed in regards to this competition they own the product and require you to hand over your code....or worse.

Re:It's worth a lot more than that (1)

LifesABeach (234436) | about 3 years ago | (#36976434)

Maybe, but by m$ offering anything could easily be construed as Negotiation.

Re:It's worth a lot more than that (2)

fishybell (516991) | about 3 years ago | (#36975790)

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

The $200k is essentially the license fee for the idea to Microsoft. Not a great deal, but not a bad one either.

You can still sell the idea (and implementations) to whomever you desire (including Microsoft if they want to buy a better implementation).

The biggest problem I see is what happens if you win the MSDN subscription (no cash) or the $50k prize. The no money MSDN is an obvious bad deal on a potentially profitable product, and the $50k is likely a a very bad deal on a potentially profitable product. Microsoft will however likely not implement any one idea, but rather a collection of all ideas.

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Re:It's worth a lot more than that (1)

sqlrob (173498) | about 3 years ago | (#36976908)

Not quite.

The promise of a potential $200K is the payment. It's a crappy deal. They can use any of the submissions, not just the winning ones.

Re:It's worth a lot more than that (1)

Isaac Remuant (1891806) | about 3 years ago | (#36977926)

And this is why I think Contests make for one of the biggest legal scams of the internet age.

Some might turn out wonderful for the winners but beware of any resource provided by the organizers that might render your own work unusable (unless you win and only on their terms). If you intend on competing for a prize and not just using the experience make sure you read the terms and conditions multiple times and ask around in case of any ambiguities or you might end up feeling quite disenchanted.

Re:It's worth a lot more than that (1)

aztracker1 (702135) | about 3 years ago | (#36976988)

You can however always rest easy knowing that their implementation of any security product will be so-so at best. If you have a great idea and a great implementation even winning the MSDN subscription will net you a profit in the long run by licensing to others. The free press is also worth an amount, even if it can't be calculated or measured.

Seeing that their Security Essentials is better that the other free options, and many paid options, that may be bias speaking.

Re:It's worth a lot more than that (1)

Jahava (946858) | about 3 years ago | (#36976024)

If I develop something capable of winning this prize, I'm productizing it and making Microsoft pay for EULAs for it. That'll net me a lot more than $200k just from them, and more from everyone else.

Cool, then the next-best one will win ... and so on. Either way, MS will get something useful for $200K, and in your best-case scenario lots of worthwhile products will be monetized to improve security.

That's an innovative approach.. (1)

Anonymous Coward | about 3 years ago | (#36975562)

And that's all I have to say about that.

Re:That's an innovative approach.. (3, Insightful)

erroneus (253617) | about 3 years ago | (#36975932)

If by innovative you mean "wrong" then yes, I agree.

Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication. They have it in their power to grow a culture of developers who are security conscious. And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it. Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be. But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE. And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

Re:That's an innovative approach.. (0)

Anonymous Coward | about 3 years ago | (#36976692)

If by innovative you mean "wrong" then yes, I agree.

Take your blinkers off.

Microsoft created this beast of a problem over the years. It was a problem more than a decade ago and they let it grow in complexity and complication.

Let what grow? Idiotic fact-free rant.

They have it in their power to grow a culture of developers who are security conscious.

They've used that power wisely. Suggest you join the rest of us in the year 2011.

And there have been countless opportunities for Microsoft along the way to requite their OS with security in mind and they haven't done it.

What did you want to see implemented that was not done? Add some facts to the haterade please.

Incremental improvements happened along the way and I am actually more pleased with Windows 7 than I ever expected to be.

Great. The world was waiting on your approval.

But Microsoft needs to get more serious than they are. They need to prepare themselves to piss off the advertising world by setting up Ad Block and No Script on MSIE.

Finally some good suggestions -- if you just made that suggestion, and removed the fact-free rant, people would take your comment more seriously. It's very painful to have to read 3 paras of biased nonsense to come to the meat of a post.

And if they integrate those two things along with a reputation scoring system which updates a local database of web servers which are safe and web servers which are known to be compromised, then they would have a more secure user experience.

Already done.

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

Fact-free again. Javascript is buggy on all browsers.

Microsoft needs to take charge on this matter, but they are clearly beholden to too many masters and their end users are the least important of them all.

Fact-free. Beholden to too many masters? WTF.. try to turn that into a factual statement you fucking moron.

Re:That's an innovative approach.. (1)

mikael (484) | about 3 years ago | (#36979892)

1980's - biggest problem with MS-DOS computers was that anyone could delete and overwrite system files, especially in shared environments. It's really hard to believe now, but the standard PC didn't have any distinction between system files and user files except for the read-only, hidden and system file bits.
Boot sector viruses were the biggest worry, with sys-admins/help-desks having to continuously fix PC's.

On UNIX side, network worms were the biggest danger.

1990's - Microsoft "fixes" the problem with Windows systems through the use of the "registry", which was to put all important system information in one big hidden place. Separate User ID's and accounts were introduced to given some basic security, but PC owners just give all their new accounts system admin access in order to allow the downloading of games. Neither of these helped to stop the problem of malware.

If anything, having *hidden* compartments/directories/files on a system, only assists malware, by giving it places to hide data. Even deep directory paths and filenames with strange characters like * or # assist in this.

Re:That's an innovative approach.. (0)

Anonymous Coward | about 3 years ago | (#36976768)

There should be a class action against them for the harm done to government, commercial, and personal security by their past gross negligence. They should be required to release "in-the-wild" security patches that seek out and disable networking on all older OSes they've released that no longer get security updates or don't have them installed. Versions that can't safely go online long enough to get patches should be disabled too. Load a test file that appears at every startup explaining what has happened, and how to download/burn patches from a current machine or competing OS to an optical disc or USB drive. OSes that have an expiration date for patches should have networking expire on the same date as well. (And all networked machines should validate the dates with a time server or be disabled)
Get their festering code off the intertubes! People have to vaccinate dogs, why shouldn't Microsoft take responsibility for their dogs??

Re:That's an innovative approach.. (1)

aztracker1 (702135) | about 3 years ago | (#36977120)

It's the frikken Javascript crap that's trashing users' computers left and right and they are invariably running MSIE when it happens.

If you wouldn't mind pointing out how Script engine exploits for the past 5 years or so have been worse than their major counterparts? It's been my understanding that Flash, Acrobat Reader and Java have been the main attack vectors, and this isn't limited to windows, or a specific browser. Don't get me wrong, having scripts run in email, let alone having it run in the "local" not the "untrusted" zone was a very stupid move in outlook and oe, but it really ism't 1999-2000 anymore.

It's the sites/services actively working to continue supporting IE6-7-8 that are the problem... We should all push the yellow banner at the top to older IE users. Like the 20 things I learned site does... same for firefox 3.5, and older safari and opera versions.

A system and method for preventing virus infection (1)

Compaqt (1758360) | about 3 years ago | (#36975568)

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

Re:A system and method for preventing virus infect (1)

grub (11606) | about 3 years ago | (#36975620)


A 5 volt shock... yeah, that'll teach 'em!
If they persist, fetch the dreaded 9 volt batteries from the armoury!

Re:A system and method for preventing virus infect (1)

Compaqt (1758360) | about 3 years ago | (#36975724)

If only the USB people had allowed for 3-phase power [3phasepower.org] in the original spec...

Re:A system and method for preventing virus infect (0)

Anonymous Coward | about 3 years ago | (#36975920)

Guess what battery's are in a Taser...

Re:A system and method for preventing virus infect (4, Funny)

dragon-file (2241656) | about 3 years ago | (#36975642)

Wire hooked up from the USB port delivers a 5 volt shock when user clicks on a malware site.

I've always preferred positive over negative reinforcement.

Re:A system and method for preventing virus infect (1)

wsxyz (543068) | about 3 years ago | (#36975662)

So every time you click on a non-malware site, then.... what?

Re:A system and method for preventing virus infect (3, Insightful)

biek (1946790) | about 3 years ago | (#36975696)

A whoosh sound plays over the speakers.

Re:A system and method for preventing virus infect (1)

Meskarune (988797) | about 3 years ago | (#36975698)

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Re:A system and method for preventing virus infect (0)

Anonymous Coward | about 3 years ago | (#36975742)

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

That's more likely to happen from a site containing malware, frankly.

Re:A system and method for preventing virus infect (2)

Baloroth (2370816) | about 3 years ago | (#36975748)

So every time you click on a non-malware site, then.... what?

your computer gives you an orgasm.

Wait, don't porn sites generally have the most malware?

Re:A system and method for preventing virus infect (0)

Anonymous Coward | about 3 years ago | (#36975870)

it shocks the guy next to you

Re:A system and method for preventing virus infect (0)

Anonymous Coward | about 3 years ago | (#36976550)

USB is positive 5 volts so your golden.

in other news, (1)

theswimmingbird (1746180) | about 3 years ago | (#36975582)

Linus Torvalds just opened a new bank account.

Can I submit "Linux?" (0)

Anonymous Coward | about 3 years ago | (#36975598)

Wouldn't it be awesome if RedHat won the Blue Hat prize.

Re:Can I submit "Linux?" (0)

Anonymous Coward | about 3 years ago | (#36975780)

They'd have to rename the company Purple Hat.

Re:Can I submit "Linux?" (1)

hansraj (458504) | about 3 years ago | (#36975962)

Even if this competition was about developing secure operating systems - which it is not - there are operating systems out there (though not in popular use) that are way more secure that Linux in implementation, design, or both.

Re:Can I submit "Linux?" (1)

realityimpaired (1668397) | about 3 years ago | (#36976362)

It's about ways to protect against bugs/exploits... specifically, about ways to protect against entire classes of bugs/exploits. In this case, they can learn a little from other systems, but it's not exactly innovative:

1. No running as administrative user. Make it impossible to modify anything that isn't in the home directory of the user without logging out, and logging back in as an administrator. Make it impossible to run an executable from the home directory unless you're running with admin privileges. Make it impossible to elevate permissions without logging out and back in as an administrator. Introduce a minor annoyance when you're running as administrator that will convince users to log out and run as a regular user... something like disabling the sound card when you're running as admin coupled with a screen overlay reminding users that they're running as admin, and disabling aero/screen graphics effects.
2. Set the default to have all ports closed, and to ignore ICMP packets.
3. Make it impossible for programs to open up incoming ports on the consumer version of the OS.

That won't prevent idiots from getting themselves infected... it's pretty well impossible to prevent idiots from getting themselves infected without removing the ability to expand on the factory configuration. It will, however, help protect against the majority of virus vectors currently in use. It'll also annoy users enough that they'll drop Microsoft like a used kleenex, and wouldn't make good business sense for them.

Makes sense to me. (1)

Petersko (564140) | about 3 years ago | (#36975636)

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Re:Makes sense to me. (1)

0123456 (636235) | about 3 years ago | (#36975794)

It's pocket change for Microsoft, but high enough to attract real interest. And $200,000 is just the beginning. Microsoft will make a very lucrative offer to whomever innovates at that level.

Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?

Re:Makes sense to me. (1)

Petersko (564140) | about 3 years ago | (#36976402)

"Surely a better idea would be to patent your innovative technology and then ask Microsoft for $200,000,000 to license it?"

It's only a better idea if they actually say yes.

"focus their talents on defensive technologies" (2, Interesting)

Anonymous Coward | about 3 years ago | (#36975678)

"to defend against memory safety vulnerabilities"

Funny that they are restricting peoples talents like this. There may be better ways to defend against malware than this, which I don't think they are trying to defend against. It seems like this type of defensive vector might be more geared to DRM/TPM.

Re:"focus their talents on defensive technologies" (3, Informative)

hansraj (458504) | about 3 years ago | (#36976032)

The only person quoted in TFA, Katie Moussouris is a senior security strategist in Microsoft's Trustworthy Computing Group. So I'd say that you might not be way off the mark here.

Stop using Windows (3, Insightful)

Rix (54095) | about 3 years ago | (#36975736)

When should I expect my cheque?

Re:Stop using Windows (1)

freeze128 (544774) | about 3 years ago | (#36975854)

When should I expect my cheque?

As soon as everyone stops using Windows.

Ha Ha, BURN!

Re:Stop using Windows (0)

Anonymous Coward | about 3 years ago | (#36976036)

Everyone will stop using Windows now that Microsoft is publicly admitting that all their billions of dollars can't buy a decent security team, begging the public-at-large for help.

-- Ethanol-fueled

Re:Stop using Windows (1)

Korin43 (881732) | about 3 years ago | (#36978076)

Everyone will stop using Windows now that Microsoft is publicly admitting that all their billions of dollars can't buy a decent security team, begging the public-at-large for help.

Clearly you've never met a Windows user. Microsoft could put viruses on their install CDs and publicly admit it, and people would still keep using it. In fact, after a couple years they'd start bragging about how much easier it is to get viruses on Windows ("Why do I get prompted for an administrator password before I can install viruses on Linux? It's so complicated!").

Re:Stop using Windows (0)

Anonymous Coward | about 3 years ago | (#36977098)

Thanks to it going through Windows Update, my botnet is spreading like wildfire.

Let's see who laughs last. :P

P.S.: I swear, the CAPTCHAs are always words from one of the comments at that time!

Re:Stop using Windows (0)

Anonymous Coward | about 3 years ago | (#36976206)

I don't think they'll take this answer...

Start using Windows, on the other hand, might indeed be accepted by our Redmond judges.

Re:Stop using Windows (1)

gstrickler (920733) | about 3 years ago | (#36976710)

No, that approach fails to meet the contest terms. Use Windows, but only allow it to connect to a network (any network) through a proxy. The proxy is an *nix box running Windows in a VM, and each VM is only allowed to run a single Windows application. Multiple VMs can not communicate with each other, but they can share specific directories stored on the host (and of course, the host is performing malware scanning on those any files in those directories).

Think of the benefits. No more DLL hell (no apps fighting over incompatible DLLs), no access to other apps info. No direct network access, inbound or outbound. No spreading infected files or email to other machines. No zombies. No access to the MBR or BIOS.

I'll offer you (0)

Anonymous Coward | about 3 years ago | (#36975754)

my Red Hat for your Blue Hat.

So what exactly does this entail (2)

Riceballsan (816702) | about 3 years ago | (#36975760)

I mean correct me if I'm wrong but it sounds like rather then actually plugging the holes that cause problems, they are looking for another antivirus equivalent to try and stop things once they fall into the holes? It sounds like a bug bounty system that doesn't want to actually involve fixing bugs.

Re:So what exactly does this entail (2)

h4rr4r (612664) | about 3 years ago | (#36975812)

This is what you get when MBAs run a company. They don't understand the problem so instead they what people to find a magic solution and for cheap.

Re:So what exactly does this entail (1)

gweihir (88907) | about 3 years ago | (#36979910)

And that never, ever works. Pathetic MS publicity stunt, really. For this money you can get one reasonable smart and not too experienced person for a year. When doing a PhD at a good university, you need about that long to understand the problem area and formulate a research goal.

Re:So what exactly does this entail (1)

gstrickler (920733) | about 3 years ago | (#36976934)

Actually, good security relies upon multiple layers. While this is no substitute for designing and writing secure code, the fact is bugs get through any development process. Therefore, having defenses that can catch/stop programs from exploiting those bugs is another level of defense. The more layers you have to security without getting the the way of performing work, the harder it is for any bug to be converted into a working exploit. Bugs still need to be fixed as quickly as practical, but additional layers shrink the exposure window.

Is Microsoft fishing for hackers? (0)

Anonymous Coward | about 3 years ago | (#36975804)

My solution would be equivalent to putting Microsoft in the Games folder and running any free operating system.

Like you guys said, one could net a lot more than $200k by solving the cancerous mal-ware that plagues MS systems for most users.

default deny (1)

symbolset (646467) | about 3 years ago | (#36975814)

That's going to be the most help. Make out the check to fsf. You're welcome.

How cheap of them! (0)

Anonymous Coward | about 3 years ago | (#36975830)

Wow!

How CHEAP of them!

Only $200K for a technology that's going to make them hundreds of millions. I feel sorry for the sucker programmer who falls for this gag.

Re:How cheap of them! (1)

Locutus (9039) | about 3 years ago | (#36976342)

that's what I was thinking. They'll blow billions every 3 months on BING and have blown billions on Zune and Windows CE but when it comes to security for Windows, the product which allows them to spend/waste so many billions, they offer a $200k bounty if you qualify? As you said, "How CHEAP of them!".

Then again, it's probably just another PR stunt.

LoB

And thus MS misses the mark again (2)

subreality (157447) | about 3 years ago | (#36975838)

Like antivirus, and antimalware, they're trying to provide active defenses for when code tries to do something bad. ... but they continue to ignore the fact that the best defense is to not run bad code to begin with. They're so gung-ho on making it easy for the user to do what they want to do (which is an admirable enough goal) that we have:

  • browsers that auto-install plugins
  • Mailreaders that let you run attachments with a couple clicks
  • Removable storage that auto-runs programs
  • Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x
  • Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

Instead they're trying to install laser-turrets to shoot down every incoming mosquito after it's already intruded into our secure zone. Sure, that's nice too, but it's not a substitute.

Re:And thus MS misses the mark again (0)

Anonymous Coward | about 3 years ago | (#36975976)

All things which already happen in many Linux distros or could be made to happen with trivial effort.

Re:And thus MS misses the mark again (1)

subreality (157447) | about 3 years ago | (#36976594)

Except they don't. By using centralized package management, I don't have to run random binaries I downloaded to install things. I go into the package manager, and I know exactly what the implications are: it'll install a piece of software. If I don't like it, I uninstall it, and it does so cleanly.

I get flash through the package manager.
My mailreader doesn't let me directly execute programs (unless they're .exe which get run in Wine amusingly).
My removable storage doesn't auto-run.
Programs have to be chmod +x .

I do have the same vulnerability if I run a randomly downloaded program as root so it can go off and do whatever, and I don't have any better insight as to it's changes than I do in Windows. The key difference is that's an exceptionally rare thing to do in Linux, whereas it's an everyday occurrence in Windows.

Sure, these things *could* be made to happen, but they don't, because it's not a desirable way to do things. Since that's not how you normally install software, it doesn't make things difficult for users, except those who're used to the Windows way of doing things. From my own experience, my father came to me confused because he wanted to install a program, and had downloaded a half dozen things but couldn't get them to install. I showed him how to use the Ubuntu Software Center, and he won't stop raving about how wonderful it is.

Re:And thus MS misses the mark again (0)

Anonymous Coward | about 3 years ago | (#36976804)

Windows hasn't done most of those things in quite some time, either. Vista/Windows 7 runs everyone under the context of a normal user. Plugins require a multiple step validation process to permit installation, many of them just flat out require external installers at this point. Outlook flat out blocks most attachments. The removable storage issues have been largely patched (and Windows is not the only OS with problems there these days.) And requiring the user to grant execution privileges to a binary is no different than a user-account control dialog. Just another singular pointless step that a mindless drone will do mindlessly.

Running all random applications as root died with Windows XP, at least once Windows XP realizes that it's dead.

As for the central installation repository, I agree that it would be very helpful. Unlike Ubuntu and other open source repositories Microsoft has a huge amount of liability as to what applications get what kind of billing and how. What if Office gets slightly more exposure than LibreOffice or if ModPlug comes up more often in searches than WinAmp? Microsoft can't just say "these are the approved applications" without that whetting the appetites of lawyers. And if MS were to implement a channel like this, even if it remained entirely optional with external arbitrary binaries still permitted, the entire Slashdot crowd would still cry foul, just like they do about every evil software restriction that you invent them enforcing.

Re:And thus MS misses the mark again (1)

0123456 (636235) | about 3 years ago | (#36977094)

Running all random applications as root died with Windows XP, at least once Windows XP realizes that it's dead.

Yeah, now users have to click 'OK' when they see the box that says 'Hello Kitty Screensaver wants to: Access Hard Disk' before it can install its malware payload.

Re:And thus MS misses the mark again (0)

Anonymous Coward | about 3 years ago | (#36977118)

browsers that auto-install plugins

That hasn't been true since the IE6 days.

Removable storage that auto-runs programs

That hasn't been true since the Windows 98/2K days (if ever, I don't remember). XP pre-SP1 didn't autorun USB programs. It put them in an autoplay box (removed in XP SP3).

Files that run because they're called *.exe instead of making the user contemplate for a moment the ramifications of chmod +x

You mean like the huge warning they get when downloading programs from the web? CLI doesn't exist for 99% of users.

Prompts to "allow the following program to make changes to this computer" without any useful context of the nature of the changes or their implications

Android is the only operating system which has tackled this issue, and by most accounts it has failed at it.

Re:And thus MS misses the mark again (1)

subreality (157447) | about 3 years ago | (#36978332)

That hasn't been true since the IE6 days.

Take IE9 to a web page that wants a plugin, and you're about two clicks away from installing it.

You mean like the huge warning they get when downloading programs from the web? CLI doesn't exist for 99% of users.

Yes, I mean exactly that. The very *existence* of that dialog is the problem. The workflow for installing things on Windows means you have to do that. Doing it right doesn't mean writing a better warning message, because the user is solely focused on "what do I need to click to make it go" and isn't going to read the warning.

It doesn't mean you have to go to the CLI: right click, properties, permissions, executable, and then you run it. That's considered backward UI in Windows because you're making a routine task difficult... But my point is needing to execute downloaded binaries shouldn't be routine.

Android is the only operating system which has tackled this issue, and by most accounts it has failed at it.

At least they're trying. A few more cycles of the idea and we might get somewhere.

Re:And thus MS misses the mark again (0)

Anonymous Coward | about 3 years ago | (#36979182)

It doesn't mean you have to go to the CLI: right click, properties, permissions, executable, and then you run it. That's considered backward UI in Windows because you're making a routine task difficult... But my point is needing to execute downloaded binaries shouldn't be routine.

Normal PC users have massive amounts of problems figuring out where a file downloaded, and how to deal with filesystems. If by some luck they do discover the download directory, they're lost because it's utterly swamped by 1,000 downloaded files.

Re:And thus MS misses the mark again (1)

kangsterizer (1698322) | about 3 years ago | (#36977810)

im pretty sure they mean passive, real defenses here
that said 200 000 while its good for a small thing, its nothing if someone comes up with something groundbreaking.

Drum tight setup (0)

Anonymous Coward | about 3 years ago | (#36975878)

Disable all the external drives and ports and disable all the networking. I'll be collecting my check shortly.

Free ideas for the losers (0)

Anonymous Coward | about 3 years ago | (#36975892)

The "winner" may get a check. The losers get their ideas tossed about at Microsoft with the possibility that a losing idea that has potential may be used in the future with nothing for "second place"

Back to their roots... (1)

Scarred Intellect (1648867) | about 3 years ago | (#36975944)

So Microsoft's big idea is to buy software that other people have made?

I suppose it's not a bad business model, buy something that someone else created and rebrand it to sell it yourself...I mean hey, it worked for them before, right?

But why can't the world's largest software company do this themselves? I understand the need for an "outsider" to have a different perspective, but it seems that they should still be able to do this themselves.

Almost 30 years, and you still suck at life. Way to go, Microsoft.

Re:Back to their roots... (1)

Anonymous Coward | about 3 years ago | (#36976078)

You know you have a big company when they are castigated for not invented here syndrome AND for not inventing everything here.

Re:Back to their roots... (0)

Anonymous Coward | about 3 years ago | (#36976540)

I bet if google came out with the same idea it would have been hailed as doing something good??

Yeah, just like Stacker... (0)

Anonymous Coward | about 3 years ago | (#36975974)

Come up with a way to make security better and see if your material doesn't get stolen by M$?

M$ can be trusted to pay up, right?

Maybe you'll get a box of MS Word retail packages with a MSRP of $400 each instead of a check?

Re:Yeah, just like Stacker... (1)

Larryish (1215510) | about 3 years ago | (#36976602)

Maybe you'll get a box of MS Word retail packages with a MSRP of $400 each instead of a check?

And then when you sell them on Ebay, MS will use the DMCA to have the auctions removed.

Show me the money (0)

Anonymous Coward | about 3 years ago | (#36976030)

Don't thank Microsoft, thank Von Neumann Architecture for this problem. Can I just submit the Harvard architecture as a proposal and collect my 200k. Redesign how computers fundamentally use memory. (don't redesign, use what Harvard suggested 70 years ago) Can I have my money now?

YUO+ FAIL IT (-1)

Anonymous Coward | about 3 years ago | (#36976040)

Is mired in an Distended. All I world's Gay Nigger 40,000 coming on baby...don't endless conflict to have regular Fuck The Baby Who are iNtersted irc network. The THING FOR THE so on, FreeBSD went You don't need to sorely diminished. they want you to at death's door and what supplies GNAA and support play parties the Posts. Therefore And as BSD sinks you down. It was Reciprocating current core were long term survival downward spiral. In dying. All major my calling. Now I if I remain backwards. To the

Precedent (1)

BlueMikey (1112869) | about 3 years ago | (#36976042)

This kind of contest worked pretty darn well for Netflix.

Pay to the order of? (1)

xactuary (746078) | about 3 years ago | (#36976184)

Be sure to make the check payable to Apple Inc. and not Apple Computer.

This just in... (0)

Anonymous Coward | about 3 years ago | (#36976240)

The new security tech is reportedly called "Unix".

STOP HIDING FILE EXTENSIONS! (1)

dargndorp (939841) | about 3 years ago | (#36976248)

STOP HIDING FILE EXTENSIONS!

Really, this has got to be the premiere cause of users not gaining some semblance of understanding in the basics of Windows-based computing. Once users start seeing these little tags after the name of a file, everything becomes much easier to explain and suddenly users are undimmed, if not enlightened.

Re:STOP HIDING FILE EXTENSIONS! (1)

gstrickler (920733) | about 3 years ago | (#36976824)

Wait, you think users will even notice?

All joking aside, that is one of the defaults that I really hate on Windows. It's completely useless. It doesn't make things any clearer for non-technical users, in fact, it leaves them uninformed and oblivious, while at the same time, it makes extra work for more technical users and tech support.

Re:STOP HIDING FILE EXTENSIONS! (1)

dargndorp (939841) | about 3 years ago | (#36976992)

No, the default uninformed user won't notice.

However, and this is purely my perspective, once I've had a little talk with users when giving them the tour of their newly resurrected system, faces light up when I tell them that this little thingamajig after the filename is how Windows decides what type of file it is and what Windows thinks it can do with it. The gap to getting a grip on the whole systems seems (to me) to close quite a bit.

Amazingly, the "type" column in Windows Explorer seems not to work for users at all. In the ear, out the other.

Re:STOP HIDING FILE EXTENSIONS! (1)

gstrickler (920733) | about 3 years ago | (#36977244)

I agree, most users don't notice, and most understand quite well with a 1-2 minute explanation about what file extensions are and which ones are executable. I've supported hundreds of users, only had 1-2 who seemed to have any difficulty grasping the concept of file name extensions and the fundamental difference between executable files vs data files. Of course, when you have data files that can include scripts, macros, etc. the distinction gets blurred, but they do grasp the basics.

That is hilarious (0)

Anonymous Coward | about 3 years ago | (#36976466)

That is a tiny carrot and a frivolous smack in the face for some of the brightest minds on the planet. That is cheap sourcing tech if there ever was cheapsourcing. The five best ideas and their authors should form their own company and charge Microsoft $22B annually to keep that company's systems and software portfolios safe.

Re:That is hilarious (0)

Anonymous Coward | about 3 years ago | (#36978860)

How practical is that, considering that such a company would experience >100% turnover every couple of years as researchers age out of the "brightest minds" spot? I'm not sure whether you're more ignorant about what it takes to do defensive security or what it takes to actually operate a company, but either way, fail.

I have a brilliant suggestion (1)

IWantMoreSpamPlease (571972) | about 3 years ago | (#36976552)

Unplug the network cable.
Tada! Instant security.

Re:I have a brilliant suggestion (1)

ChipMonk (711367) | about 3 years ago | (#36976738)

Until you plug in that infected USB thumb drive.

Or that infected USB hard drive.

Or insert that CD that was made from the infected gold master.

how about stopping the attack before it starts. (1)

alienzed (732782) | about 3 years ago | (#36976630)

Option 1: Disable network connection. Now you can only hack yourself. Option 2: Nuke the world; cockroaches can't hack. Nobody, no problem. Please send the money to the address in my profile. Thx.

would you rather (0)

Anonymous Coward | about 3 years ago | (#36976916)

In the face of mounting external pressure to begin paying bug bounties

get paid maybe $30,000 by microsoft for finding a bug
or create a piece of software that fixes a bug in windows and sell it at $5 a pop
(given the several hundred million user base)
guess which one microsoft would rather encourage

Meanwhile, elsewhere (1)

FlyveHest (105693) | about 3 years ago | (#36976932)

Valve is paying 1 million dollars for people playing a videogame.

What will Linus do with the money? (1)

Required Snark (1702878) | about 3 years ago | (#36977114)

Just asking.

Problem solved. (1)

Eric S. Smith (162) | about 3 years ago | (#36977564)

They want to "defend against memory safety vulnerabilities?" I assume that they're talking about buffer overflows, if nothing else, and I can think of a couple of ways to prevent them: 1) non-von Neumann architecture; or, and here I'm going really crazy, I know, with an idea that'd disrupt the entire industry: 2) stop using bloody C.

Idea (1)

StripedCow (776465) | about 3 years ago | (#36977634)

Replace web browsers by virtual machines.

Rationale: web browsers are WAY too complicated to be ever secure; virtual machines, on the other hand need to support only a relatively small set of base instructions; as extra advantages, virtual machines are also more flexible and may relieve developers from the browser-compatibility headaches they've been having for years. Let's do it :)

A Blue Hat? (1)

bradorsomething (527297) | about 3 years ago | (#36978158)

I thought a Blue Hat was a Black Hat that couldn't get laid,

old school (1)

pbjones (315127) | about 3 years ago | (#36978530)

pocket calculator and a typewriter, and a fire-proof safe. These will cost you less than a reasonable PC and give you many years of service. Just send a couple of $1000 in real currency, none of the e-Money/net-money crap!

Caps (1)

Lorens (597774) | about 3 years ago | (#36978762)

Microsoft employed capability researcher Jonathan Shapiro for some time, but not any more. I wonder if that's because they decided it was too hard, unfeasible, never wanted caps at all, or some other reason. Caps would definitely be a way to defeat several if not most classes of bugs. In fact I have never encountered another method of computer security that seems credible.

WTF - Microsoft only pays 200k? (0)

Anonymous Coward | about 3 years ago | (#36979262)

Ok, this is crazy. A billion dollar company wants a researcher to give up IP that will make them millions for 200k. Don't do it!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>