Microsoft this week expanded its bug bounty program to include security vulnerabilities in its identity services.
The software giant launched the Microsoft Identity Bounty Program, which offers payouts between $500 and $100,000 for vulnerabilities reported in Microsoft’s identity services. The scope of the identity bounty includes both consumer and enterprise services — Microsoft Accounts and Azure Active Directory, respectively — as well as login tools such as login.live.com, account.windowsazure.com, portal.office.com and the Microsoft Authenticator for iOS and Android applications.
In addition, Microsoft said the identity bounty will be available for bugs reported in the company’s implementations of specific OpenID standards.
“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a blog post. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”
The expanded bug bounty program will pay up to $100,000 for the most serious vulnerabilities, including design vulnerabilities in identity standards and bypasses for multifactor authentication. Standards-based implementation flaws will pay a maximum of $75,000, while “significant” authentication bypasses will pay a maximum of $40,000.
The identity bounty program is the latest expansion of Microsoft’s bug bounty efforts. In 2015, the company announced a major expansion of its bug bounty program that included Microsoft’s Azure platform as well as specific vulnerabilities for its Hyper-V virtualization software.
The University of New Hampshire InterOperability Lab updated its IPv6 testing program to comply with new government requirements specified by the National Institute of Standards and Technology. UNH-IOL, a technology testing facility in Durham, N.H., also added support for SDN protocols in its updated program.
The testing program applies specifically to U.S. government agencies, such as NASA, that procure networking equipment and need independent certification that the products meet regulation, according to Timothy Winters, senior IP manager at UNH-IOL. The new requirements come as IPv6 adoption continues to grow globally, as indicated by Google, which said over 20% of its users now have IPv6 addresses, Winters added.
Agencies and product vendors that are UNH-IOL members send devices that need certification to the lab, where UNH students and staff test the products for a month to ensure they support IPv6 and comply.
UNH-IOL tests a range of products, including routers, switches, phones, printers and security cameras. Increasingly, however, agencies and service providers have requested UNH-IOL’s help with SDN and IoT devices, Winters said.
“We’re encountering more devices we haven’t seen,” he said. “Some of this is because of IoT, where things are actually being networked and put on a network. They’re not sitting on a proprietary link anymore.”
IPv6 testing ramps up
As operators and service providers realize IPv4 address space is decreasing, they’ve started moving to IPv6-only networks, Winters said. This transition caused UNH-IOL to update its IPv6 testing program accordingly.
“UNH-IOL is trying to push that support, so people building applications and services — or even routers and switches — can know which things work or don’t work in an IPv6-only network,” he said. These changes look at the requirements for building, installing and updating applications — processes that sometimes sound simple, but can actually be quite complicated, he added.
UNH-IOL also patched security loopholes in the IPv6 testing program and made the overall testing more generic, so governments outside the U.S. and other user groups could adopt it, Winters said.
Equipment suppliers have two years to comply with the new IPv6 testing specification. As a result, UNH-IOL will likely see 200 to 300 devices return to the lab to undergo the updated testing, according to Winters.
“I’m sure there are companies that have made some products legacy or don’t sell them anymore, so those won’t come back in,” Winters said. “But that’s a challenge: We have to get everybody back through the program.”
IPv6 complements SDN
Timothy Winterssenior IP manager, UNH-IOL
Additionally, he said the lab now regularly receives routers without a command-line interface to test. This change comes as more service providers and equipment providers find value in SDN — and discover how IPv6 complements SDN deployments, Winters said.
“For SDN, the ability to address multiple services is helpful when you’re trying to get into networks that are so complex they have to be programmed,” he said. Service providers, for example, can use IPv6, along with disaggregation, network slicing and segment routing. The IPv6 address helps identify to which service any particular packet is going.
Along with the other testing updates, UNH-IOL added support for SDN protocols, such as NETCONF and YANG, as well as specs for IoT capabilities. By doing so, Winters said he hopes the lab will help push IPv6 deployments. And, as another plus, UNH-IOL students tackle “the latest and greatest stuff” in networking.
“For us, the exciting part is getting students involved in learning a technology like this,” he said. “It gives students the ability to build tools, see devices and test them.”
This post was authored with contributions by Cathy Palmer, Program Manager, Quantum Software & Services.
Today, Microsoft released an update to the Microsoft Quantum Development Kit including an enhanced debugging experience and faster simulations, as well as several contributions from the Q# community. We’re excited about the momentum generated by the many new Q# developers joining us in building a new generation of quantum computing.
Just over six months ago, we released a preview of Q#, our new programming language for quantum development featuring rich integration with Visual Studio. The February 26 release added integration with Visual Studio Code to support Q# development on macOS and Linux as well as Python interoperability for Windows. Since then, tens of thousands of developers have begun to explore Q# and the world of quantum development.
Today’s update includes significant performance improvements for simulations, regardless of the number of qubits required, as shown in the H2 simulation below. This is a standard sample included in the Microsoft Quantum Development Kit.
This update includes new debugging functionality within Visual Studio. The probability of measuring a “1” on a qubit is now automatically shown in the Visual Studio debugging window, making it easier to check the accuracy of your code. The release also improves the display of variable properties, enhancing the readability of the quantum state.
Adding to the new debugging improvements, you’ll find two new functions that output probability information related to the target quantum machine at a specified point in time, called DumpMachine and DumpRegister. To learn more, you can review this additional information on debugging quantum programs.
Thanks to your community contributions, the Microsoft Quantum Development Kit now includes new helper functions and operations, plus new samples to improve the onboarding and debugging experience. Check out the release notes for a full list of contributions.
Today in San Francisco, Microsoft Military Affairs will join our partners from LinkedIn to each share new commitments to the military spouse community.
Military spouses are an integral supporting force for members of our military, but face staggering 18 percent unemployment and 53 percent underemployment due to moves every two to three years, according to a 2016 study from Blue Star Families on the social cost of unemployment and underemployment of military spouses.
As part of our commitment to the military spouse community, Microsoft will launch a pilot program to provide spouses with technology skills training beginning in September.
Microsoft has successfully opened a technology career pipeline for transitioning service members and veterans via the Microsoft Software & Systems Academy (MSSA) program, which has expanded coast-to-coast and has a graduation rate of over 90 percent. We are excited to explore how to expand and tailor these opportunities to military spouses, which represent a diverse talent pool that is adaptable, resilient and highly educated and ready to take on new and exciting opportunities to further their professional and personal goals.
The U.S. government estimates information technology occupations are projected to grow 12 percent from 2014 to 2024, faster than the average for all occupations. Because there are 500,000 open technology jobs annually, we know that career programs are needed to help close the technology skills gap.
“Microsoft is excited to work with technology leaders and other organizations committed to supporting military spouses, and to find avenues that lead to meaningful career opportunities for active duty military spouses,” said U.S. Marine Corps Major General (Ret.) Chris Cortez, Vice President of Microsoft Military Affairs.
LinkedIn also announced today that it is expanding its military and veterans program to include military spouses through a new partnership with the U.S. Department of Defense’s Spouse Education and Career Opportunities program. Beginning this July, LinkedIn will provide one year of LinkedIn Premium to every military spouse during each of their moves to new installations to facilitate their career transitions, and once again upon conclusion of military service. This will include free access to LinkedIn’s online library of more than 12,000 LinkedIn Learning courses, including its newly-launched learning path designed to help military spouses succeed in flexible, freelance or remote-work opportunities.
The Microsoft Military Affairs team is working closely with military spouses and nonprofit organizations to understand firsthand the unique challenges this community faces as we build out and learn from our pilot program.
We are thrilled to begin our pilot program in the fall and to continue our support of military spouses and their community by providing the skills they need to enter technology careers.
A new investment from Microsoft’s AI for Earth program will accelerate Wild Me, an organization that identifies and tracks individual animals using machine learning and computer vision
REDMOND, Wash. — June 14, 2018 — On Thursday, Microsoft Corp. announced that Wild Me, a Portland-based nonprofit organization that focuses on combatting extinction with citizen science and artificial intelligence, will become a new featured project in its AI for Earth program. This deeper level of investment and engagement will enable Wild Me, and its wide range of users and supporters, to more effectively and efficiently use software and AI to combat extinction.
“The world is facing a major biodiversity crisis, and Wild Me’s work in harnessing computer vision and machine learning to monitor and track individual animals is truly groundbreaking,” said Bonnie Lei, AI for Earth project manager at Microsoft. “Microsoft hopes to accelerate Wild Me’s conservation impact by enabling wider usage of its open source algorithms through making them available on Microsoft Azure as APIs, and boosting the speed and accuracy of its entire Wildbook platform by migrating it over to Azure.”
Wildbook is an open source, cloud-based software platform — created by Wild Me in collaboration with faculty and students at Princeton University, Rensselaer Polytechnic Institute and the University of Illinois-Chicago — that brings together AI, computer vision, scientific research and citizen science to help protect endangered species. Using images uploaded from conservationists, researchers and citizen scientists, the software helps identify and track animal populations, monitor their migrations and interactions, and evaluate threats to inform and improve conservation efforts.
“Wildbook democratizes science and conservation,” said Tanya Berger-Wolf, director at Wild Me and professor at University of Illinois-Chicago. “The partnership with Microsoft will allow us to enable science and conservation at planetary scale and high resolution over time, space and individual animals.”
Wild Me will be the fifth AI for Earth featured project, joining land cover mapping, Project Premonition, FarmBeats and iNaturalist. With 111 grantees in 27 countries, AI for Earth puts Microsoft’s cloud and AI tools in the hands of those working to solve global environmental challenges. Through grants that provide access to cloud and AI tools, opportunities for education and training on AI, and investments in innovative, scalable solutions, AI for Earth works to advance sustainability across the globe.
Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.
For more information, press only:
Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777,
Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.
Arista has launched a family of switches that companies can program to perform tasks typically handled by network appliances and routers. The company claims the consolidation capabilities of the new 7170 series reduces costs and network complexity.
The programmability of the 7170 family stems from the Barefoot Networks Tofino packet processor found in the hardware. Engineers program the silicon using P4, an open source language.
Barefoot markets Tofino as an alternative to fixed-function application-specific integrated circuits. Large enterprises, cloud and communication service providers are typical users of the high-speed Barefoot Tofino chip, which processes packets at 6.5 Tbps.
Arista, which uses Broadcom and Cavium packet processors in other switches, wants to broaden the potential customer base for the Barefoot Tofino chip by coupling it with the vendor’s EOS network operating system for leaf-spine architectures. To make programming on Barefoot Tofino silicon easier, Arista provides packaged profiles that contain data plane and control plane features for specific applications. Network managers can customize the patterns using P4 and deploy them on EOS.
“We’ll have to see what sort of benefits customers derive from using the  technology in real-world production environments,” said Brad Casemore, an analyst at IDC. “In theory, it certainly has the potential to handle some tasks typically addressed by routers and middleboxes.”
Arista application profiles
Examples of the applications defined in the Arista profiles include network overlays and virtualization to offload network functions, such as traffic segmentation or tunnel encapsulation from virtual servers.
Other profiles provide network and application telemetry for flow-level visibility, configurable thresholds and alarms, timestamping and end-to-end latency. Arista also offers patterns supporting some firewall functionality and large-scale network address translation. NAT is a way to manage multiple IP addresses by giving them a solitary public IP address. The methodology improves security and decreases the number of IP addresses an organization needs.
“How readily those profiles are embraced and productively employed could determine the extent to which the 7170 successfully addresses the use cases Arista has identified,” Casemore said.
The 7170 series has two models. The first is a 1RU chassis that supports 32, 64 or 128 ports at 40/100 GbE, 50 GbE and 10/20 GbE, respectively. The second is a 2RU system that supports 64, 128 or 256 interfaces at 40/100 GbE, 50 GbE and 10/25 GbE, respectively. The hardware processes up to 12.8 terabits per second.
Base pricing for a 64-port system is $1,200 per port.
In March, Arista introduced two 25/100 GbE switches for cloud providers, tier-one and tier-two service providers, high-tech companies and financial institutions ready to replace 40/100 GbE switches with more powerful systems.
Arista is targeting the two switches — the 7050X3 and the 7260X3 — at different use cases. The former is an enterprise or carrier top-of-rack switch, while the 7260X3 is for leaf-spine data center networks used in large cloud environments.