Microsoft have expanded their mitigation bypass bounty to include not just bypass techniques researched and developed specifically for the program, but also bypass techniques observed in the wild, thereby vastly increasing the number of researchers looking and the chance of finding something novel.

Today’s news means we are going from accepting entries from only a handful of individuals capable of inventing new mitigation bypass techniques on their own, to potentially thousands of individuals or organizations who find attacks in the wild. Now, both finders and discoverers can turn in new techniques for $100,000.

Increasing the chance of finding a novel technique is only the first benefit that Microsoft hope to gain from this expansion, as they point out in the quote below they are also hoping to have an influence on the underground vulnerability markets, increasing the costs to those looking to buy exploits.  This is a nice use of market forces to drive security benefit, artificially increasing the cost to the bad guys, I wonder who has more money... (and no, I'm not going down the rabbit hole of nation state actors)

This evolution of our bounty programs is designed to further disrupt the vulnerability and exploit markets. Currently, black markets pay high prices for vulnerabilities and exploits based on factors that include exclusivity and longevity of usefulness before a vendor discovers and mitigates it.

The use of market forces to drive up the cost of exploits ties in quite nicely with some discussions I've been having recently about raising the entry criteria for attackers, be it at a micro level such as what you might be doing in your organisation or a macro level such as what Microsoft are doing here. Attempting to 'raise the bar' for adversaries, either by technical or financial means is nothing new, this is the point of every security control or bug bounty program.  What is different from other bounty programs with this effort and its predecessor is that Microsoft is incentivising researchers to find new defensive strategies rather than individual vulnerabilities with point solutions, effectively eliminating whole classes of vulnerabilities.

No this post isn't about the cost of security - at least not in direct dollars!

I've been meaning to make this post for a while. Recently I read a great paper from Microsoft Research titled So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users

Some of the points in this paper really hit home about challenging the common wisdom about why users reject or bypass security and the indirect cost to them for something from which they're unlikely to suffer.

Applying ecomomic ideas such as externialities to Information Security is not new, Bruce Schneier has commented on it in the past in regards to software development and it is also mentioned in a chapter in Beautiful Security (which I don't have handy to pull the reference from).
Despite the old gag definition of economics being "The science of explaining tomorrow why the predictions you made yesterday didn't come true today" it is sadly still a step up from much of the FUD, voodoo and magic numbers pulled out of the air by some IT and IT Security folk.
One of the great challenges is, as always, getting useful metrics...

Another major point in the Microsoft paper that really made me sit up and think was their assertation that "Thus, to a good approximation, 100% of certificate errors are false positives. Most users will come across certificate errors occasionally. Almost without exception they are the result of legitimate sites that have name mismatches, expired or self-signed certicates."
Thinking back over many years of surfing the 'net, I had to agree. I couldn't think of a particular instance where I encountered an SSL certificate error that wasn't a false positive.
The bad guys don't use SSL certificates....why bother when you can fool end users by placing a padlock as a favicon or just using an image of a padlock next to the login box on your phishing site?
Developers of legitimate sites don't help the situation either, by mixing secure and nonsecure content on the same page that brings up warning dialog boxes. What's your average end user to do? Assume the legitimate page is bad and deny themselves access to a service, or click on and further reinforce the message that it's alright to click OK on those boxes that appear and nothing bad will happen.
I visited two websites recently, both owned by major IT companies, that had mixed their secure and nonsecure content in this manner.
What's the solution? SSL everywhere and browsers that won't allow non-SSL verified connections?

Training end users is hard. Bringing them onside as allies in your security efforts without overburdening them with externialities or overstating the actual likely harm by using worst-case harm (ie: introducing FUD) is even harder.