Oxymoron of the day: Business Ethics
|
|
|
Microsoft offers $200,000 to fix Windows' memory vulnerabilities
SOFTWARE DEVELOPER Microsoft has offered a $200,000 prize to anyone that can create a way of blocking entire classes of memory vulnerabilities in the Windows operating system.
Microsoft's Blue Hat Prize competition has a total prize pool of $250,000, with the first prize the aforementioned $200,000. A second prize of $50,000 is also up for grabs and the third place finisher will receive an MSDN Universal subscription, which generally goes for somewhere in the region of $10,000.
The idea behind Microsoft's competition is not only to get security researchers working for, rather than against Microsoft, but to get its hands on clever work on the cheap. Microsoft will retain a royalty-free license to the works, however the firm said the authors will still own the rights and be able to develop the software techniques freely.
Katie Moussouris, senior security strategist lead for the Microsoft's Security Response Center said, "This is the first and largest incentive prize ever offered by Microsoft, and possibly ever in the industry [...] we're looking to make life more costly for criminals. The value of the prize will go beyond dollars however. We're looking to inspire research from industry, academia and even hobbyists."
Many firms offer cash bounties to security researchers, including Google, HP and Mozilla. One chap from HP told The INQUIRER that some of the security researchers can end up earning close to six figures every year from bounties. He also said that HP takes its most prolific security researchers on holidays to Las Vegas as a 'thank you' for their hard work, though we assume HP doesn't set them to work as card counters.
Although Microsoft's bounty might well be the largest yet and represents a significant amount of cash for any individual or a small team of students, for Microsoft it will be money very well spent. And since the task is to block a whole class of memory vulnerabilities on Windows, it is far from a trivial challenge. µ
Tags: Microsoft
Share this:
Share
You mean like:
Adobe
Apple
Google
Siemens
Sony
Nintendo
?
(i can keep going if necessary)
You used the word "Microsucks"?! Enjoy the rest of highschool.
CHECK THIS OUT...
The 1st paragraph of this article says it all. MS wants programmers working FOR THE ON THE CHEAP.. FINE. I FIX it. YOU PAY 250k CASH. UPON DELIVERY & PROOF OF PERFORMANCE + ROYALTIES on each piece of software containing my (1) time ( irreplaceable). (2) MY IP. AND (3) my SWEAT!! WHICHEVER of us wins... sure hope i, we, they listen... THAT'S what MS did when IBM came calling.. And LAUGHED all the way to the bank.. GATES & CO had JUST bought the Dirty Operating System for $50,000 from Seattle Computing ( sans royalties). (footnote.. the folks at Seattle later fought in court and WON MILLIONS from Sir Billy of Gates' Company!! But MS made BILLIONS. So remember 2 MILLION US is STILL not ENOUGH!! think ROYALTIES, or get a SERIOUS ATTY TO DO IT FOR YOU!!
I think it should be pointed out that Microsoft itself is to blame for many of these memory vulnerabilities in Windows. When moving from NT 4.0 to XP, MS made a design decision to move the the graphics subsystem and some other components of the OS from User mode back into Kernel mode, to boost performance. This compromised the much more secure, strict message passing based microkernel architecture of NT and MS has been paying the price in terms of exploits ever since.
It seems to me that hardware CPU and memory performance has advanced sufficiently in the last 10 years to make up for any performance issues and it's time for MS to re-commit to something along the lines of the much more elegant and secure design of NT.
I agree that $200k is just plain cheap on Microsoft's part for what would constitute a significant contribution to their core money making product. I hope that whoever develops this will be wise enough to negotiate a better deal.
I agree that $200k is just plain cheap on Microsoft's part for what would constitute a significant contribution to their core money making product. I hope that whoever develops this will be wise enough to negotiate a better deal.
Oh and 200k is just MS being a crummy cheapskate. Hopefully the wizard that develops a solution will be wise enough to negotiate for some real $ and since they'll keep the IP, they'll be industrious enough to develop their own OS and give MS some more competition.
When did beating the competition actually mean secure? Not ready for prime time is the reality for Microsoft Windows products.
Windows is a hybrid microkernel based OS. Linux is a monolithic kernel based OS.
So it is Linux that has a bloated Kernel model, not Windows.
What fool would do this job for the paltry $200,000. I bet MS has spent millions on this already and wants to sucker some closet hacker into not sleeping for a year to produce a result their own inefficient megalopolis cannot manage.
The problem is MS Windows is too fractured by divisions and groups. The basic structure has to be addressed. A philosophy of not addressing invalid data cannot be fixed by one overseeing program. All the little ones must do data validity checks before producing over-runs, under-runs, non-predicted exception handling, etc. MS is reluctant because this adds overhead to the already severely bloated OS.
Take a lesson from Linux and make a concise kernel.
Why so cheap Microsoft? For a multi millionaire company and for this kind of project under 1mil $ is just cheap.If someone really do discover a way it will be sold for more then 200 000$ by microsoft over the years.
Thats a very uninformed comment.
Current versions of Windows have far fewer security vulnerabilites than equivlent Linux distributions, or Mac OS-X
Even Windows XP has a third of the vulnerabilites of MAX OS-X, or a 5th of the vulnerabilities of a similar age Linux distribution.
And the same is true of IE9, which has several times fewer security vulnerabilities than Chrome 12, or Safari 5.
...how inept Microsucks is that they can't even secure their own crappy products.