
Microsoft offers $100k to hack its custom Linux OS - doener
https://www.theverge.com/2020/5/6/21249038/microsoft-azure-sphere-bug-bounty-security-hacking
======
INTPenis
Clearly they've put a lot of work into this and are willing to pay out for a
"3rd party audit" so to speak.

But my schadenfreude is hoping for an outcome similar to what happened to an
old co-worker of mine back in 2005.

He was a Windows nut and we were always in a friendly competition about which
ecosystem was the better one. One time he had done a bunch of modifications to
his own laptop OS, IDS, and tweaking services to have a slimmed down install
with a web server. When he was happy he told me "tell your hacker buddies to
try and hack this website hehe" :D

He had put up a simple website offering 1000 USD for hacking into the server
it was hosted on. His own personal work laptop, with a bunch of other
sensitive stuff on it.

I said, ok... And posted it on a certain mailing list that I won't mention.

We sat opposite each other and within 10 minutes I saw him bend down towards
the screen with a worried look on his face. Tapping frantically on the keys.

Within another 10 minutes he had disconnected the computer from the internet
and said the challenge was off. :D

Apparently his IDS had been throwing up warnings about md5 checksums being
changed left and right. That's all we figured out about it. I was 16 years
younger so he didn't want to share much more with me.

~~~
erikbye
How about we stop using HN's comment section to tell irrelevant-to-the-story
personal anecdotes? This is basically the top/most upvoted comment of every
article. Surely I can't be the only one to notice this trend?

~~~
wtetzner
I don’t see why it’s a problem. If it’s the most up-voted, then clearly people
find it interesting.

~~~
erikbye
It's a problem exactly because it's up-voted, it's derailing. Happens on so
many articles recently. Either derailing by a personal anecdote, or by the
"middlebrow dismissal":
[https://news.ycombinator.com/item?id=4693920](https://news.ycombinator.com/item?id=4693920)

Both are equally derailing. In this case, I would much rather the comments be
about the actual OS in question or the trend of big companies crowdsourcing
security (penetration testing).

~~~
WaylonKenning
One man's trash is another man's treasure. Otherwise we'd all be reading a
website called Hacker Facts, not Hacker News.

These anecdotes provide societal context to the story. Why would Microsoft get
the public to harden their product? Surely they have enough resources to do it
themselves right?

Because many eyes make light work. Some people would obsess over trying to
hack this OS, putting in far more effort than someone paid 9-5 to do it.

------
polskibus
Azure Sphere OS source code doesn't seem to be on GitHub. You can find it here
though (filter for Azure Sphere)
[https://3rdpartysource.microsoft.com/](https://3rdpartysource.microsoft.com/)

~~~
0xJRS
[https://github.com/crpietschmann/AzureSphereOS](https://github.com/crpietschmann/AzureSphereOS)

------
A4ET8a8uTh0
I am amused that MS has its own Linux flavor, but I won't make a joke about
it. I won't mention previous attempts at embrace, extend and extinguish.

I want to focus on the IoT part.

Do not get me wrong. I am glad MS tries to show they care about security in
IoT space. Heavens know I don't want to see Starbucks microwave botnet in
2021.

~~~
fortran77
So I guess you don't believe in truly open source and free software. Where
everyone, regardless of motive or position, has equal access to it.

~~~
A4ET8a8uTh0
I did not argue that. I like their current efforts. But as with most things,
best predictor of what people do is checking what they have done in the past.
In this case, they have attempted to capture an emerging competing OS and
effectively destroy it. I would be silly for me to simply forget the past.

They have access. I am not arguing against it. I have memory of what they have
done. Should I just forget it?

------
mschuster91
> Businesses like Starbucks are rolling out Azure Sphere to secure its store
> equipment, which feeds back data points on the type of beans, coffee
> temperature, and water quality for every shot of espresso.

I understand detailed feedback on huge multi-million dollar industrial
machines where proactive maintenance based upon massive ML datapoints can save
unexpected downtimes with millions in damage, but on _coffee machines_?!

~~~
at_a_remove
I will offer an observation here: franchise production of food and drink
relies upon homogeneity. Sometimes, people go out for something new, but often
people want the same old thing. Someone across the country in a strange bed,
where their accent sticks out, might want something familiar, and that is the
experience of McDonald's in the United States. I could go from one corner of
the country to another and the burgers would taste identical.

And so, people want replicable coffee drinks. And coffee can be a fickle beast
to brew. Given that, unlike McDonald's which can freeze and ship, you must go
from bean to drink on premise in a matter of minutes, I could see a focus on
trying to ferret out a way to make that expensive cup taste the same from
Portland, Oregon to Portland, Maine.

~~~
WhyNotHugo
McDonald has very different menus in different regions, as does starbucks.

I remember visiting NY and being fascinated by many of the options I've never
seen in other countries.

~~~
cozzyd
In their Chicago HQ (ironically on Randolph Street), McDonald's has an "Global
Menu" where they serve a rotating selection of items served around world. It
seems that chicken is king in most other countries.

~~~
WhyNotHugo
It isn't in the US? What's the top options then?

~~~
cozzyd
Most people get beef burgers at McD's in the US (at least, that's my
impression).

------
gentleman11
Did not know they offered a custom Linux OS.

What is the strategy here, to make a Chromium like play where the project is
open but for practical purposes everyone just uses Chrome? That might not be
terrible for the ecosystem

~~~
xnyan
Multiple custom Linux OSes at this point. WSL2 is a custom, mostly transparent
Linux VM tailored to fit nicely on desktop windows for developers.

The play (as I see it) was that losing mobile really shook them, and now they
have no sacred cows to protect. Developers want and need to develop on linux,
so microsoft is making that happen so that they can keep selling software.

------
fnord123
Win win. Flag not captured: MSFT is secure! Flag captured: Linux is insecure.

~~~
munchbunny
That's really cynical. It could also just be that bounties like this are a
useful way to improve security of software.

Linux's security isn't in question anymore, certainly not among developers who
would be choosing whether to use Azure Sphere. Linux has been battle-tested
for decades, and Linux already won. This is Microsoft embracing it, for better
or for worse. And frankly I'd rather have a Microsoft Linux distro on my
fridge than a slimmed down version of Windows.

I'd rather just have a plain old fridge, honestly, but we're talking about IoT
OSes right now.

~~~
fnord123
>That's really cynical.

Of course. This is Microsoft. The memory of the culture of Gates and Ballmer
is not erased.

>And frankly I'd rather have a Microsoft Linux distro on my fridge than a
slimmed down version of Windows

Referencing security of fridges reminded me of this
[https://www.youtube.com/watch?v=BnKpNVHw-
TQ](https://www.youtube.com/watch?v=BnKpNVHw-TQ) :)

------
nickysielicki
Yocto-based. Nice, at least they're doing that part right.

------
duxup
How do they usually run these?

Folks apply and then does MS provide each accepted applicant a separate target
and some level of access to verify if they were successful?

------
egberts1
So it’s based on Ubuntu 19.1.

Mmmmmm.

~~~
CraftThatBlock
Can you provide a source? I could find any references looking at the source.
Also, that's not an Ubuntu version

~~~
egberts1
[https://github.com/crpietschmann/AzureSphereOS](https://github.com/crpietschmann/AzureSphereOS)

Ubuntu.

~~~
CraftThatBlock
Ctrl+F "Ubuntu" \- No results.

Seems to be using parts of code from Ubuntu, but that doesn't mean it is
Ubuntu.

------
zerr
This reminds me about pentesters being jailed awhile ago.

------
loltyler1
Soooo much money, what a time to be a sec-expert! </s>

~~~
kabes
If you manage it in a day... Even if you take a month.

Problem with these kind of things is you never know how much time you're gonna
spend. I was pretty active in this scene when I was going to University and
had nothing better to do. But now I don't want to risk a month of my time and
potentially end up with nothing. I guess people who compete in these things
already have an exploit at hand to start with.

