Tag Archives: Program

Congress wants CVE program changes from DHS and MITRE

The House Energy and Commerce Committee completed its investigation of the Common Vulnerabilities and Exposures program this week and requested “significant changes to the very foundation of the CVE program.”

The investigation began in March of 2017 following media reports on extensive issues with the CVE tracking system, including long backlogs for assigning vulnerability scores. In letters to both the Department of Homeland Security (DHS) and MITRE Corporation — the two entities that manage the CVE program — members of the E&C Committee noted that changes have already been made to the CVE program, but said these changes didn’t address root issues with the program.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” Committee members wrote in the letters. “The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes — the contract-based nature of the program and the lack of oversight — which have yet to be addressed.”

During its investigation into the CVE program, the E&C Committee found red flags right from the start.

“Given the importance of the CVE program as critical cyberinfrastructure, the Committee expected to receive substantially more documentation in response to its request than was produced,” the Committee wrote in the letter to DHS. “[T]he Committee was surprised by the dearth of produced analyses, timelines, and other oversight materials documenting the year-over-year health of the program. The Committee finds the lack of documentation produced by DHS and MITRE to be revealing in and of itself.” 

The Committee members said the contract-based nature of the CVE program led to inconsistent funding, short-term planning and thousands of vulnerabilities per year that didn’t receive CVE numbers. The Committee suggested this be changed to make funding a PPA (Program, Project, or Activity) line item in the DHS budget in the hopes of forcing DHS and MITRE to take the program more seriously.

“The documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyberinfrastructure. Instead, both organizations continued to manage and fund the program through a series of contract which themselves were unstable,” the committee wrote. “This approach was perhaps to be expected given that neither organization, according to produced documentation, performed the lever of oversight needed to ensure the program continued to fulfill its purpose and meet stakeholder needs.”

The Committee also requested DHS and MITRE perform biennial reviews of the CVE program “to ensure its effectiveness and stability.”

“Since the CVE program’s inception, the nature of cybersecurity threats it is meant to address has drastically evolved. So, too, have stakeholders’ needs. Yet the scope and mission of the CVE program have not undergone similar transformation,” the Committee wrote. “By conducting regular reviews of the program, officials would be able to develop short, medium and long-term goals and then evaluate their progress at achieving those goals.”

However, even these changes to so-called “root-causes” of the CVE program’s issues weren’t enough for all experts. K. Reid Wightman, vulnerability analyst at Dragos Inc., said on Twitter the recommendations showed “the wildly inaccurate CVSS scores that accompany most CVEs was out of scope,” but added he would be “glad if some progress is made on assignments at least.”

DHS and MITRE have until Sept. 4 to respond to the recommendations made by the E&C Committee.

Understand Windows Insider Program for Business options

The Windows Insider Program for Business provides features that help IT plan for and deploy GA builds when they arrive.

The Windows Insider Program, which Microsoft introduced in 2014, lets IT try out new features in the upcoming Windows release before Microsoft makes them generally available. Microsoft added the Windows Insider Program for Business in April 2018 to provide organizations with tools to better prepare for upcoming releases.

Windows Insider Program for Business

Microsoft designed the Windows Insider Program for Business specifically for organizations to deploy preview builds from Windows 10 and Windows Server to participating employees for testing before they are GA.

IT pros can register their domains with the service and control settings centrally rather than registering users or configuring machines individually. Individual users can also join the Windows Insider Program for Business on their own, independently of IT’s corporate-wide review.

Microsoft designed the Windows Insider Program for Business specifically for organizations to deploy preview builds from Windows 10 and Windows Server to participating employees for testing before they are GA.

The preview builds don’t replace the channel releases because IT doesn’t deploy the new builds across its organization. They’re simply earlier Windows 10 builds IT teams can use to prepare their organizations for the updates.

The Windows Insider Program for Business preview build releases make it possible for IT to implement new services and tools more quickly once the GA release is available. The previews also help IT ensure that Microsoft addressed data security and governance issues in advance of the release.

The Windows Insider Program for Business allows administrators, developers, testers and other users to see what effect a new release might have on their devices, applications and infrastructures. Microsoft includes the Feedback Hub for IT pros and users to submit reactions about their experiences, make requests for new features and identify issues such as application compatibility, security and performance problems.

Microsoft also offers the Windows Insider Lab for Enterprise, a test deployment for insiders who Microsoft specially selects to test new, experimental or prerelease enterprise security and privacy features. The lab provides insiders with a virtual test infrastructure that comes complete with typical enterprise technologies such as Windows Information Protection, Windows Defender Application Guard and Microsoft App-V.

Getting started with the insider program

Microsoft recommends organizations sign up for the Windows Insider Program for Business and dedicate at least a few devices to the program. IT pros must register their users with the service and set up the target devices to receive preview builds.

Microsoft also recommends that organizations use Azure Active Directory work accounts when registering with the service, whether an organization registers users individually or as part of a domain account. A domain registration makes it easier for IT to manage the participating devices and track feedback from users across the organization. Users that want to submit feedback on behalf of the organization must have a domain registration, as well.

IT can install and manage preview builds on individual devices or on the infrastructure and deploy the builds across multiple devices in the domain, including virtual machines. Using Group Policies, IT can also enable, disable, defer or pause preview installations and set the branch readiness levels, which determine when the preview builds are installed.

Microsoft’s three preview readiness branches

IT can configure devices so the preview builds install automatically or allow users to choose their own install schedules. With mobile device management tools such as Microsoft Intune, IT can take over the preview readiness branch settings, assigning each user one of three preview deployment branches.

Fast. Devices at the Fast level are the first to receive build and feature updates. This readiness level implies some risk because it is the least stable and some features might not work on certain devices. As a result, IT should only install Fast builds on secondary devices and limit these builds to a select group of users.

Slow. Devices at the Slow level receive updates after Microsoft applies user and organization feedback from the Fast build. These builds are more stable, but users don’t see them as early in the process compared to the Fast builds. The Slow level generally targets a broader set of users.

Release Preview. Devices at the Release Preview level are the last to receive preview builds, but these builds are the most stable. Users still get to see and test features in advance and can provide feedback, but they have a much smaller window between the preview build and the final release.

Is the Windows Insider Program for Business for everyone?

An organization that participates in the Windows Insider Program for Business must be able to commit the necessary resources to effectively take advantage of the program’s features. To meet this standard, organizations must ensure that they can dedicate the necessary hardware and infrastructure resources and choose users who have enough time to properly test the builds.

An organization’s decision to invest in these resources depends on its specific circumstances, but deploying a Windows update is seldom without a few hiccups. With the Windows Insider Program for Business, IT can avoid some of these issues.

Microsoft launches identity bounty program, offers up to $100,000

Microsoft this week expanded its bug bounty program to include security vulnerabilities in its identity services.

The software giant launched the Microsoft Identity Bounty Program, which offers payouts between $500 and $100,000 for vulnerabilities reported in Microsoft’s identity services. The scope of the identity bounty includes both consumer and enterprise services — Microsoft Accounts and Azure Active Directory, respectively — as well as login tools such as login.live.com, account.windowsazure.com, portal.office.com and the Microsoft Authenticator for iOS and Android applications.

In addition, Microsoft said the identity bounty will be available for bugs reported in the company’s implementations of specific OpenID standards.

“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a blog post. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”

The expanded bug bounty program will pay up to $100,000 for the most serious vulnerabilities, including design vulnerabilities in identity standards and bypasses for multifactor authentication. Standards-based implementation flaws will pay a maximum of $75,000, while “significant” authentication bypasses will pay a maximum of $40,000.

The identity bounty program is the latest expansion of Microsoft’s bug bounty efforts. In 2015, the company announced a major expansion of its bug bounty program that included Microsoft’s Azure platform as well as specific vulnerabilities for its Hyper-V virtualization software.

UNH InterOperability Lab expands IPv6 testing amid SDN growth

The University of New Hampshire InterOperability Lab updated its IPv6 testing program to comply with new government requirements specified by the National Institute of Standards and Technology. UNH-IOL, a technology testing facility in Durham, N.H., also added support for SDN protocols in its updated program.

The testing program applies specifically to U.S. government agencies, such as NASA, that procure networking equipment and need independent certification that the products meet regulation, according to Timothy Winters, senior IP manager at UNH-IOL. The new requirements come as IPv6 adoption continues to grow globally, as indicated by Google, which said over 20% of its users now have IPv6 addresses, Winters added.

Agencies and product vendors that are UNH-IOL members send devices that need certification to the lab, where UNH students and staff test the products for a month to ensure they support IPv6 and comply.

UNH-IOL tests a range of products, including routers, switches, phones, printers and security cameras. Increasingly, however, agencies and service providers have requested UNH-IOL’s help with SDN and IoT devices, Winters said.

“We’re encountering more devices we haven’t seen,” he said. “Some of this is because of IoT, where things are actually being networked and put on a network. They’re not sitting on a proprietary link anymore.”

IPv6 testing ramps up

Timothy Winters, UNH-IOL senior IP managerTimothy Winters

As operators and service providers realize IPv4 address space is decreasing, they’ve started moving to IPv6-only networks, Winters said. This transition caused UNH-IOL to update its IPv6 testing program accordingly.

“UNH-IOL is trying to push that support, so people building applications and services — or even routers and switches — can know which things work or don’t work in an IPv6-only network,” he said. These changes look at the requirements for building, installing and updating applications — processes that sometimes sound simple, but can actually be quite complicated, he added.

UNH-IOL also patched security loopholes in the IPv6 testing program and made the overall testing more generic, so governments outside the U.S. and other user groups could adopt it, Winters said.

Equipment suppliers have two years to comply with the new IPv6 testing specification. As a result, UNH-IOL will likely see 200 to 300 devices return to the lab to undergo the updated testing, according to Winters.

“I’m sure there are companies that have made some products legacy or don’t sell them anymore, so those won’t come back in,” Winters said. “But that’s a challenge: We have to get everybody back through the program.”

USGv6 testing program flow chart
This flow chart relays the process vendors undergo for IPv6 testing on their products.

IPv6 complements SDN

For us, the exciting part is getting students involved in learning a technology like this. It gives students the ability to build tools, see devices and test them.
Timothy Winterssenior IP manager, UNH-IOL

Additionally, he said the lab now regularly receives routers without a command-line interface to test. This change comes as more service providers and equipment providers find value in SDN — and discover how IPv6 complements SDN deployments, Winters said.

“For SDN, the ability to address multiple services is helpful when you’re trying to get into networks that are so complex they have to be programmed,” he said. Service providers, for example, can use IPv6, along with disaggregation, network slicing and segment routing. The IPv6 address helps identify to which service any particular packet is going.

Along with the other testing updates, UNH-IOL added support for SDN protocols, such as NETCONF and YANG, as well as specs for IoT capabilities. By doing so, Winters said he hopes the lab will help push IPv6 deployments. And, as another plus, UNH-IOL students tackle “the latest and greatest stuff” in networking.

“For us, the exciting part is getting students involved in learning a technology like this,” he said. “It gives students the ability to build tools, see devices and test them.”

Enhanced debugging and faster simulation with the latest Quantum Development Kit update

This post was authored with contributions by Cathy Palmer, Program Manager, Quantum Software & Services.

Today, Microsoft released an update to the Microsoft Quantum Development Kit including an enhanced debugging experience and faster simulations, as well as several contributions from the Q# community. We’re excited about the momentum generated by the many new Q# developers joining us in building a new generation of quantum computing.

Just over six months ago, we released a preview of Q#, our new programming language for quantum development featuring rich integration with Visual Studio. The February 26 release added integration with Visual Studio Code to support Q# development on macOS and Linux as well as Python interoperability for Windows. Since then, tens of thousands of developers have begun to explore Q# and the world of quantum development.

Today’s update includes significant performance improvements for simulations, regardless of the number of qubits required, as shown in the H2 simulation below. This is a standard sample included in the Microsoft Quantum Development Kit.

Simulation comparison

This update includes new debugging functionality within Visual Studio. The probability of measuring a “1” on a qubit is now automatically shown in the Visual Studio debugging window, making it easier to check the accuracy of your code. The release also improves the display of variable properties, enhancing the readability of the quantum state.

Screen showing enhanced debugging

Adding to the new debugging improvements, you’ll find two new functions that output probability information related to the target quantum machine at a specified point in time, called DumpMachine and DumpRegister. To learn more, you can review this additional information on debugging quantum programs.

Thanks to your community contributions, the Microsoft Quantum Development Kit now includes new helper functions and operations, plus new samples to improve the onboarding and debugging experience. Check out the release notes for a full list of contributions.

Download the latest Microsoft Quantum Development Kit

We’ve been thrilled with the participation, contributions, and inspiring work of the Q# community. We can’t wait to see what you do next.

Microsoft expands commitment to military spouse community – Microsoft Military Affairs

Today in San Francisco, Microsoft Military Affairs will join our partners from LinkedIn to each share new commitments to the military spouse community.

Military spouses are an integral supporting force for members of our military, but face staggering 18 percent unemployment and 53 percent underemployment due to moves every two to three years, according to a 2016 study from Blue Star Families on the social cost of unemployment and underemployment of military spouses.

As part of our commitment to the military spouse community, Microsoft will launch a pilot program to provide spouses with technology skills training beginning in September.

Microsoft has successfully opened a technology career pipeline for transitioning service members and veterans via the Microsoft Software & Systems Academy (MSSA) program, which has expanded coast-to-coast and has a graduation rate of over 90 percent. We are excited to explore how to expand and tailor these opportunities to military spouses, which represent a diverse talent pool that is adaptable, resilient and highly educated and ready to take on new and exciting opportunities to further their professional and personal goals.

The U.S. government estimates information technology occupations are projected to grow 12 percent from 2014 to 2024, faster than the average for all occupations. Because there are 500,000 open technology jobs annually, we know that career programs are needed to help close the technology skills gap.

“Microsoft is excited to work with technology leaders and other organizations committed to supporting military spouses, and to find avenues that lead to meaningful career opportunities for active duty military spouses,” said U.S. Marine Corps Major General (Ret.) Chris Cortez, Vice President of Microsoft Military Affairs.

LinkedIn also announced today that it is expanding its military and veterans program to include military spouses through a new partnership with the U.S. Department of Defense’s Spouse Education and Career Opportunities program. Beginning this July, LinkedIn will provide one year of LinkedIn Premium to every military spouse during each of their moves to new installations to facilitate their career transitions, and once again upon conclusion of military service. This will include free access to LinkedIn’s online library of more than 12,000 LinkedIn Learning courses, including its newly-launched learning path designed to help military spouses succeed in flexible, freelance or remote-work opportunities.

The Microsoft Military Affairs team is working closely with military spouses and nonprofit organizations to understand firsthand the unique challenges this community faces as we build out and learn from our pilot program.

We are thrilled to begin our pilot program in the fall and to continue our support of military spouses and their community by providing the skills they need to enter technology careers.

Wild Me joins AI for Earth | Stories

A new investment from Microsoft’s AI for Earth program will accelerate Wild Me, an organization that identifies and tracks individual animals using machine learning and computer vision

REDMOND, Wash. — June 14, 2018 — On Thursday, Microsoft Corp. announced that Wild Me, a Portland-based nonprofit organization that focuses on combatting extinction with citizen science and artificial intelligence, will become a new featured project in its AI for Earth program. This deeper level of investment and engagement will enable Wild Me, and its wide range of users and supporters, to more effectively and efficiently use software and AI to combat extinction.

“The world is facing a major biodiversity crisis, and Wild Me’s work in harnessing computer vision and machine learning to monitor and track individual animals is truly groundbreaking,” said Bonnie Lei, AI for Earth project manager at Microsoft. “Microsoft hopes to accelerate Wild Me’s conservation impact by enabling wider usage of its open source algorithms through making them available on Microsoft Azure as APIs, and boosting the speed and accuracy of its entire Wildbook platform by migrating it over to Azure.”

Wildbook is an open source, cloud-based software platform — created by Wild Me in collaboration with faculty and students at Princeton University, Rensselaer Polytechnic Institute and the University of Illinois-Chicago — that brings together AI, computer vision, scientific research and citizen science to help protect endangered species. Using images uploaded from conservationists, researchers and citizen scientists, the software helps identify and track animal populations, monitor their migrations and interactions, and evaluate threats to inform and improve conservation efforts.

“Wildbook democratizes science and conservation,” said Tanya Berger-Wolf, director at Wild Me and professor at University of Illinois-Chicago. “The partnership with Microsoft will allow us to enable science and conservation at planetary scale and high resolution over time, space and individual animals.”

Wild Me will be the fifth AI for Earth featured project, joining land cover mapping, Project Premonition, FarmBeats and iNaturalist. With 111 grantees in 27 countries, AI for Earth puts Microsoft’s cloud and AI tools in the hands of those working to solve global environmental challenges. Through grants that provide access to cloud and AI tools, opportunities for education and training on AI, and investments in innovative, scalable solutions, AI for Earth works to advance sustainability across the globe.

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

For more information, press only:

Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777,

rrt@we-worldwide.com

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.

New Arista switches use Barefoot Tofino programmable chip

Arista has launched a family of switches that companies can program to perform tasks typically handled by network appliances and routers. The company claims the consolidation capabilities of the new 7170 series reduces costs and network complexity.

The programmability of the 7170 family stems from the Barefoot Networks Tofino packet processor found in the hardware. Engineers program the silicon using P4, an open source language.

Barefoot markets Tofino as an alternative to fixed-function application-specific integrated circuits. Large enterprises, cloud and communication service providers are typical users of the high-speed Barefoot Tofino chip, which processes packets at 6.5 Tbps.

Arista, which uses Broadcom and Cavium packet processors in other switches, wants to broaden the potential customer base for the Barefoot Tofino chip by coupling it with the vendor’s EOS network operating system for leaf-spine architectures. To make programming on Barefoot Tofino silicon easier, Arista provides packaged profiles that contain data plane and control plane features for specific applications. Network managers can customize the patterns using P4 and deploy them on EOS.

“We’ll have to see what sort of benefits customers derive from using the [7170] technology in real-world production environments,” said Brad Casemore, an analyst at IDC. “In theory, it certainly has the potential to handle some tasks typically addressed by routers and middleboxes.” 

Arista application profiles

Examples of the applications defined in the Arista profiles include network overlays and virtualization to offload network functions, such as traffic segmentation or tunnel encapsulation from virtual servers.

Other profiles provide network and application telemetry for flow-level visibility, configurable thresholds and alarms, timestamping and end-to-end latency. Arista also offers patterns supporting some firewall functionality and large-scale network address translation. NAT is a way to manage multiple IP addresses by giving them a solitary public IP address. The methodology improves security and decreases the number of IP addresses an organization needs.

“How readily those profiles are embraced and productively employed could determine the extent to which the 7170 successfully addresses the use cases Arista has identified,” Casemore said.

The 7170 series has two models. The first is a 1RU chassis that supports 32, 64 or 128 ports at 40/100 GbE, 50 GbE and 10/20 GbE, respectively. The second is a 2RU system that supports 64, 128 or 256 interfaces at 40/100 GbE, 50 GbE and 10/25 GbE, respectively. The hardware processes up to 12.8 terabits per second.

Base pricing for a 64-port system is $1,200 per port.

In March, Arista introduced two 25/100 GbE switches for cloud providers, tier-one and tier-two service providers, high-tech companies and financial institutions ready to replace 40/100 GbE switches with more powerful systems.

Arista is targeting the two switches — the 7050X3 and the 7260X3 — at different use cases. The former is an enterprise or carrier top-of-rack switch, while the 7260X3 is for leaf-spine data center networks used in large cloud environments.