Mark Dalby

Microsoft has kicked off a contest aimed at turning the tables on hackers by offering big money prizes for innovative tactics to foil cyber attacks. The US software titan launched the premier BlueHat Prize competition at a major Black Hat computer security conference in Las Vegas.

“As the risk of criminal attacks on private and government computer systems continues to increase, Microsoft recognises the need to stimulate research in the area of defensive computer security technology,” Microsoft Trustworthy Computer Group general manager, Matt Thomlinson, said.

“Our interest is to promote a focus on developing innovative solutions rather than discovering individual issues,” he continued. Microsoft opted to offer prizes for defending against entire types of cyber attacks instead of simple paying “bounties” to those that discover individual computer bugs.

Microsoft has restricted its Wi-Fi-powered geolocation database after a researcher investigating Wi-Fi geolocation and position tracking raised privacy concerns about the information recorded. This follows a similar move from Google, amidst identical privacy complaints.

A number of companies including Microsoft, Google, and Skyhook operate Wi-Fi geolocation databases as a means of providing quick and reasonably effective location information to phones, tablets, and laptop computers. Every Wi-Fi and Ethernet device has a unique identifier called a MAC address. Wi-Fi access points broadcast their MAC addresses so that any nearby machines can see the access point and connect to it. Companies building geolocation databases collect access point MAC addresses and GPS locations, then publish this information online. (Community projects such as Wigle accumulate similar databases.)

Smartphones and laptops can use these databases to perform quick location finding whenever they’re connected to a Wi-Fi access point. They do this by querying the database for the location of the access point that they’re currently using. As long as it’s in the database—and hasn’t moved too far from wherever it was when its information was recorded—they then know that they’re close to the access point’s location.

In two years, Microsoft’s Bing has doubled its share of the U.S. search market, from 7.2 percent to 14.4 percent. If you add Yahoo’s Bing-powered portal, it’s 27 percent. So why are loud voices clamoring for Microsoft to give up on search?

Bing’s Online Services Division doesn’t make money. Shortly after Microsoft released its quarterly earnings results, ZDNet’s Larry Dignan called the OSD an “online sinkhole,” noting that the division last turned a profit in 2006 and had lost $ 8.5 billion over nine years. Last year, it lost a record $ 2.56 billion.

Reuters columnist Robert Cyran’s “Microsoft ought to kick off search for Bing buyer” turned up the heat, particularly when it was syndicated the following week in the New York Times under the headline “Bing Becomes A Costly Distraction for Microsoft.” Cyran’s argument is sophisticated: it recognizes the value that Microsoft has built up in Bing (and corresponding value to a buyer like Facebook or Apple). Still, Cyran thinks Microsoft’s continued investment in an unprofitable division doesn’t serve the company’s shareholders. Facebook’s investors — a group that includes Microsoft — would presumably be better suited for the long play that Bing represents than Microsoft’s quasi-blue-chip, profit-maximizing, dividend-minded shareholders.

Microsoft is serious about this whole “eliminating botnets” thing. The company’s offering a bounty for the operators behind the Rustock botnet, which the company helped disable in March. Before it went offline, the botnet proved capable of sending billions of spam e-mails per day.

In exchange for information leading to those operators’ arrest and conviction and whatnot, Microsoft is now willing to pay some $ 250,000. That’s a pretty big chunk of change, and the company’s probably betting it’s enough to persuade someone to sell their botnet-building buddy out.

“This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it,” Richard Boscovich, senior attorney for Microsoft’s Digital Crimes Unit, wrote in a July 18 email posted on The Official Microsoft Blog. “The legal action Microsoft has taken in civil court has already been successful, helping us take down the Rustock botnet and disrupt its operations.”

Microsoft decided to extend their efforts to establish the identity of those responsible for controlling the Rustock botnet by issuing a $ 250,000 reward for new information that results in the identification, arrest and criminal conviction of such individual(s).

Residents of any country are eligible for the reward pursuant to the laws of that country.

Richard Boscovich Senior Attorney, Microsoft Digital Crimes Unit comments: “This reward offer stems from Microsoft’s recognition that the Rustock botnet is responsible for a number of criminal activities and serves to underscore our commitment to tracking down those behind it. While the primary goal for our legal and technical operation has been to stop and disrupt the threat that Rustock has posed for everyone affected by it, we also believe the Rustock bot-herders should be held accountable for their actions.”

The 343 changes made by Microsoft developer K. Y. Srinivasan put him at the top of a list, created by LWN.net, of developers who made the most changes in the current development cycle for Linux 3.0. Along with a number of other “change sets”, Microsoft provided a total of 361 changes, putting it in seventh place on the list of companies and groups that contributed code to the Linux kernel. By comparison, independent developers provided 1,085 change sets to Linux 3.0, while Red Hat provided 1,000 and Intel 839.

The figures were published on Thursday in an LWN.net article which is available exclusively to subscribers until this coming Thursday (21 July); however, bloggers have already commented on the figures. LWN.net has produced similar analyses for all of the recently published kernels, including 2.6.39 and 2.6.38. Author, kernel developer, and LWN.net founder Jonathan Corbet has conducted such surveys in cooperation with the Linux Foundation and published them as studies. In that context, The H pointed out that you have to be careful in interpreting the numbers. One bone of contention is that the analysis also covers changes in the staging area, which contains code that does not fulfil the quality standards of its developers and of kernel developers; a large number of changes are made to produce these required improvements.

Microsoft today shipped four security bulletins with patches for 22 serious security flaw and called special attention to a vulnerability in the Windows Bluetooth stack that could allow hackers to remotely take control of an affected computer.

The vulnerability, fixed with MS11-053, headlines a batch of updates that include fixes for gaping holes in the Windows kernel and security problems in the Windows Client/Server Run-time Subsystem.

The Bluetooth stack vulnerability introduces remote code execution risks on Windows Vista and Windows 7, Microsoft warned.

Microsoft expects to release four patches next week to address 22 vulnerabilities in Windows and Office, the company said Thursday.

The bulletins, one of which is graded “critical” and three of which are rated “important, are due Tuesday at about 2 p.m. EST.

The critical patch will address vulnerabilities in the two most recent Windows versions, Vista and 7, according to an advance notification advisory. Two of the important fixes will respond to flaws in all supported versions of Windows.