Posted by: Subreption LLC 9 months, 2 weeks ago

It's August 2011. The weather has been getting warmer and warmer over the course of the last few weeks. The sun is roasting all Vegas sentient life against the pavement, while swarms of security professionals stroll down the sidewalks. It's been a very strange year so far. Keeping up with the hype-n'-bake modus operandi of the industry in the past decade, Microsoft has announced the Blue Hat Prize Contest with a "whopping" prize (but not a cash prize while at it) for building new "security mitigation technologies". Circa 260,000 USD are at stake, including paid travel and expenses to Black Hat 2012, that is, if the world doesn't implode with the help of the naive and the people at Microsoft Outreach.

Disregarding of the fact that the very same people offering this prize have been consistently developing business intelligence on the industry, gathering gossip and influence from unsuspecting and not-so-unsuspecting professionals and "sceners", we have decided, as the independent, enfant terrible ensemble company we are, to completely vivisect this contest and explain, summing up the lengthier article in as few words as possible, why you should really not sell yourselves so cheap.

At the end of this article and statement you can find a list of people adhering and supporting it. Back in the day, something along these lines happened with the Linux Security Modules craze, which was originally developed to tend to the business interests of very few players in the arena (while rejecting any contributions from third parties, this conglomerate of companies now has been largely shadowed by Red Hat, which pretty much functions as a monopoly over the core components of the open source community).

Figures

This article would be fairly plain without a short rundown through the ins and outs of licensing, as an independent business entity, your own proactive defense technology. Even though it will be analyzed in more detailed in another section, any potential contributor to the Blue Hat Prize contest should bear in mind that:

1. It is a one-time only payment, meaning you will not be receiving any further compensation for your efforts, and Microsoft will have full leeway to do as they please with your work. It is not, by any means, an issue of implementation licensing, but the actual royalties and exploitation rights to your ideas will be at their entire disposal.
2. The first prize carries a value of 200,000 USD. Taxes will be your own responsibility. Depending on the country and state you reside in, these will range from none or minimal to roughly 30-40%. For Europe-based "runners" this will be even further diminished by the USD-EUR exchange rates. Furthermore, banks will charge a premium for handling a transfer of this value unless you are in possession of private banking contacts. Just as "You can't simply walk into Mordor", you can't just walk into Switzerland, or Belize, or... no, really. Sorry buddies, we know it sounds cool. But in the real world, non-film-esque reality, financial engineering is much more complicated than that. And if the prize was a cash deposit, well... "other considerations apply". Armed security firm escorting, concealed carry permits, lots of bureaucracy and... well, you know where we are getting at! No-go!
3. At 2011 rates, the cost of life will make 200k USD look much less interesting in a span of 3 years. Considering the sum, it might be better off using it as pocket money for budgeting travel, adventure, a new sports car or, business investment. The figure has a nice ring to it, and this is exactly what Microsoft wants you to feel. Your brain acts like a cashier machine doing the "cling" as the cash tray goes back in. Wrong. 200,000 USD for a multi billion dollar corporation like Microsoft is what they sweep from the floor after scrapping their backs with a stick made of diamonds.
4. The second and third prize are not even worth considering. It is beyond pocket money. It might fund a few rounds in BarCon, though.

Now, we would like to reason the motives behind these remarks. Therefore we will briefly review the estimated costs of security vulnerabilities in Microsoft's own products. Obviously, if the sources of information depended on us, we would be biased and our opinion would not hold much validity, hence we are glad to remind you of the document published by Microsoft in April 2005, known as:

The Total Cost of Security Patch Management: A Comparison of Microsoft Windows and Open Source Software
The comparisons with open source software will be omitted as they are largely irrelevant in this context. The original document can be found at:

http://download.microsoft.com/download/1/7/b/17b54d06-1550-4011-9253-9484f769fe9f/TCO_SPM_Wipro.pdf

Some of the key figures:

1. Across 90 different organizations, the average annual cost of keeping Windows systems patched up to date was 5,791,983 USD. This means that, at a prorated value of 482,665 USD per month, the very first month of deployment of the proactive defense technology could not only make up for the entire investment on prizes of the Blue Hat contest, but also net a benefit worth more than 220,000 USD atop the sum. Again, these are 2005 dollars. We believe we already made a point here and thus taking inflation, etc into account is irrelevant to these figures. If you wish, feel free to calculate the amounts for our current financial term as of 2011 and fall flat on your face, or laugh trying.
2. The average cost of patching the Windows system during said term was 1,622 USD. This is an insane sum if you consider the overwhelming population of networked Windows systems today. In the next section we will review an estimated royalty model and extrapolate relationships of return-on-investment. With the sale of of a few thousand Windows licenses alone to a single OEM vendor, the value of Blue Hat prizes will be again covered without doubt.
3. Microsoft so far has not published any information about their actual cost per vulnerability, albeit some details can be inferred from public information about their SDL related efforts, Patch Tuesday stock fluctuations and most important, the always handy conference gossip. Unofficially, if you buy them enoughmartinis secos you might come across a figure much higher than a quarter million per vulnerability, annually. This is subject to degree of impact, risk assessment, and deployment numbers of the affected product.
4. As an unrelated yet informative example, a simple error in Microsoft's Xbox Live site, responsible for handling the sale of "Microsoft points" which act as a game virtual currency of sorts, was estimated to have neglected Microsoft of approximately 3.2 USD million in sales in March 2011. Software vulnerability costs for Microsoft are much more important and costly to MS by an order of magnitude, leading to stock and PR losses, besides significant incidents related to spearfishing/targeted attacks.

Without resorting to further figures, it is evident that any kind of solution or palliative measure heightening security for customers, will lead to increased profits and savings on the cost of vulnerability handling and patching at Microsoft. The total sum of the Blue Hat prizes barely scraps the bottom of the ROI balance they would have, provided that the technologies actually work to that end.

An example of royalty-based model

In their contest information, Microsoft mentions "return oriented programming" as a key element to be "solved". Alas, after a decade, it seems the advanced persistent name changing threatens our memory in all humanly possible ways. Return-to-libc, as most of us know it, was the subject of study by the PaX team in their ethereal PAX-FUTURE documentation. However, we are diverting from our main trail of thought here. The crucial point to take into consideration is that a technology to solve the problem of execution flow subversion and data access integrity requires a hefty time and effort investment, surpassing any multiple of the value of the Blue Hat prizes. Thus, we intend to show you the ROI of the Blue Hat prize resembles some sort of convoluted April Fools joke more than an actual good willed, reasonable contest.

In our estimates, we will assume that you, as a vendor, wish to license a technology or set of technologies that, lo and behold, protects a Windows system against "ROP" techniques. We will assume you are capable of implementing some of the PAX-FUTURE features against a stock Windows 7 system, within the terms provided by the Blue Hat contest organizers (implementation-wise).

Per the July 2011 Netcraft survey, we assume a total of 60,086,346 hosts are running on Microsoft's IIS web server. We will disregard end-users and "workstation setups" as non applicable and keep them out of our figures. The technology is to be licensed at a more than reasonable flat-rate of 0.01 USD (one cent) per system for their server products, thus costing Microsoft roughly 600,000 USD annually. This is already less by an order of magnitude than the known estimates for patching cost annually, which was previously listed as approx. 5mil USD.

For an alternative business model targeting solely workstation systems, we will take Brandon LeBlanc's figure of 400,000,000 sold Windows 7 licenses as of July 2011, disregarding of pirated copies and server products, and use a flat-rate of 0.001 USD per license. Provided that Microsoft would not increase the final market value of each license, the investment would cost them a mere 400,000 USD annually.  With an estimated cost per serious vulnerability of a quarter million, besides their SDL expenditure subcontracting external firms, they would be not only saving money but already making a profit after the first two Internet Explorer use-after-frees.

Paying attention to the fine print
Before hopping onto our final statements, we believe it is necessary to emphasize the following points about the terms of the contest, which you should be very wary of:

• "understand and acknowledge that the Sponsor(s) may have developed or commissioned materials similar or identical to your submission and you waive any claims you may have resulting from any similarities to your entry" means in non-attorney-speak that Microsoft mayforgetabout your submission and by means of cryptomnesia implement it sometime in the foreseeable future as the new DEP-in-shining-armor. And then you won't have any rights whatsoever to claim it really landed on their hands. This akin to the "unsolicited material" unwritten law of the entertainment and arts industries.

• "understand that we cannot control the incoming information you will disclose to our representatives in the course of entering, or what our representatives will remember about your entry. You also understand that we will not restrict work assignments of representatives who have had access to your entry. By entering this Contest, you agree that use of information in our representatives' unaided memories in the development or deployment of our products or services does not create liability for us under this agreement or copyright or trade secret law;" more of the former. Essentially, any kind of claim about your entry even if it does not make it in any of the three top spots will be SOL. Obviously, it remains unclear if these terms are actually enforceable in any sensible way per the United States intellectual property law. Nonetheless, it does leave a very uncomfortable creeping feeling in the spine. Slowly crawling its way up.

• "are agreeing to license IP and patent rights in your submission to Microsoft" - meaning you will lose all exploitation rights to your work. If you wind up regretting your decision of surrendering the rights and essence of your work to Microsoft, which is a more than likely scenario once you realize 50,000 or 200,000 USD aren't really that much money after everything we have bothered to explain, you will be SOL to claim any rights back. This is actually something perfectly enforceable per US IP law. And Microsoft has access to very fine attorneys while at it.

To sum it all up: non winning entries will be subject to the same terms, you will lose any claim rights over your entry, and it will be an equivalent to unsolicited material, bearing no obligations to Microsoft as to how they might go about it. They might forget about your entry, and you might see it on a press release a year later anyway. You might have an even better understanding of whatever "unaided memory" means than us, but it probably doesn't make you feel any better.

Conclusions

Bottom line is, we believe this contest to be aimed at the desperate and the naive, and it is our duty, per our standards, is to bring the crude reality into light and make sure that such unsuspecting people aren't duped into participating in a contest which is largely abusive, if not outright humorous.

If you have a technically capable and hard working friend in the industry, and you are a reasonable, realistic individual, you will be likely interested on forwarding a link to this article and reviewing the list of people adhering to it and supporting our statements. As a friend you probably wish your fellow men success, and the Blue Hat Prize just won't cut it for them. It is only a clever propaganda move to attract potential technical talent into surrendering perfectly valid ideas and efforts to a corporation that invests far more than a sorry 260,000 USD in their security budget.

Don't dupe us, bro.

Adherents and supporters
The following people adhere and support this Fatw- article on the Blue Hat Prize contest, while not necessarily representing the opinion of their employers (in the case of individuals). If you believe your name should be on this list, please get in touch. We will be updating this list as necessary. The only catch is we won't remove people from it once they are in, so no retreat-ers ;>

• Subreption LLC
• The PaX Team

Because of the reasons made available in this document, we kindly ask would-be runners of the contest to reconsider their stance, refuse to sell their work "cheap", become aware of the state of the economy relevant to the case and pursue their wishes of fortune and bling bling through more realistic (and likely) means.

08.06.2011

The Blue Hat Prize: A late April Fools joke

07.16.2011

Privacy violations in Blind-Carbon-Copy mail

07.05.2011

Mac OS X Lion: Did security mitigations manage to squeeze in?

03.13.2011

Virtual machine series: Lightweight embeddable languages

10.24.2009

Why Linux security has failed (for the past 10 years)

• bluehat (1)
• microsoft (1)
• stunts (1)
• mitigations (3)
• macosx (1)
• pax (1)
• nx (1)
• gpg (1)
• pgp (1)
• vm (1)
• embedded (1)
• linux (3)
• mls (1)
• selinux (1)
• grsecurity (1)
• kernheap (1)