back to article Microsoft to pay new bounties for identity services holes

Microsoft’s launched a new bug bounty program, this time for identity services. “Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions,” wrote principal security group manager Phillip Misner. But Redmond’s not just paying …

  1. thondwe

    Banyan Vines

    That I even remember the name "Banyan Vines" - god I'm old!

    1. bombastic bob Silver badge
      Devil

      Re: Banyan Vines

      yeah I remember being told that Vines ran on a version of UNIX ported to a 386 box, and if I remember correctly, the DOS drivers for it were nearly 200k... [that was HUGE back in those days]. Some DOS programs wouldn't even run with the network drivers loaded. As I recall that problem was "fixed" by running windows 3.0 though, using 386 'enchanted' mode to run DOS programs.

      Ah, windows 3.0! And, the 3D Skeuomorphic interface that made people WANT to run it! not like Win-10-nic. *diig* *dig* *dig* (obligatory digs at Win-10-nic)

      1. Alistair
        Coat

        Re: Banyan Vines

        Oddly Bob,

        Banyan drivers were much smaller for DRDOS. And the early (3.x 4.x) GEM actually had a driver manager for BV.

        Damn. I've been doing this shit too long.

  2. Griffo

    I doubt there's any BV code in there

    From what I understand AAD was a ground up clean sheet modern directory written specifically for multi-tenant web scale identity requirements. Compatibility with Windows AD obhects was added afterwards, and AD services have been slowly bolted on, but again are clean room implementations. I doubt there's much if any code in AAD taken from Windows AD.

    1. Doogie Howser MD

      Re: I doubt there's any BV code in there

      As I recall, it's a custom build of ADAM. There's a blog post out there somewhere On TechNet about it.

    2. EnviableOne

      Re: I doubt there's any BV code in there

      like edge was a clean sheet from IE, but all the vulnerabilities/updates are the same.

  3. Destroy All Monsters Silver badge
    Coat

    This Window Sazure sure is gonne look good in my mansion.

    Why does Microsoft even have that many different sites for login & authentication services.

    Maybe start there.

    1. bombastic bob Silver badge
      Black Helicopters

      Re: This Window Sazure sure is gonne look good in my mansion.

      "Why does Microsoft even have that many different sites for login & authentication services."

      I'm glad SOMEBODY already said it, 'cause I was sure THINKING it!

      Here's another thing: If I attempt to crack M-shaft security, in order to perform vulnerability tests, and the captain DOES notice, will I _STILL_ get arrested by some idiotic law that prevents "regular people" from doing such tests for research purposes? You know, like some of the DMCA crap passed a while back? The same kind of "law" that says penetration testing is ILLEGAL, regardless of the reason for it? (like the arguments for making GUNS illegal because SOME people shoot other people with guns for criminal reasons, so 'they' wanna BAN THEM ALL)

      DMCA did what it did because there's no 2nd Amendment for HACKING. worth pointing out.

      /me NOT grabbing my coat. SOMEONE has to say this kind of stuff. watching out for black helicopters, though...

      1. EnviableOne

        Re: This Window Sazure sure is gonne look good in my mansion.

        people dont want to ban all guns, they just subscribe to the theory - its the right to bear arms, not Artillery.

  4. Lee D Silver badge

    I don't think there's much of anything like Banyan Vines left in AD, Samba would have found it by now if there was, I should imagine. Whether in inter-compatibility testing, or legacy protocols that they try to support, or anything else.

    And given that Samba can be a full AD domain controller, I reckon they've had stumbled across / recommended against any such code.

    Hell, to be honest, SMBv1 and v2 are already dead BECAUSE they're so insecure. That's how those worms of a few years ago propagated and even that was seen as "Why the hell does the NHS have that option enabled any more anyway?"

  5. Anonymous Coward
    Windows

    One AD to rule them all!

    We're about to abandon on-prem ADFS for 1,000s users in favour of syncing password hashes to Azure AD and re-associating the SSaS trust relationships from ADFS to Azure AD.

    Far simpler to let MSFT handle all this than run on-prem ADFS and try to achieve all the nines up-time.

  6. Anonymous Coward
    Anonymous Coward

    "[Spotting Vulnerabilities] could score you between US$500 and $100,000"

    The bad news is in the small print- it's actually $500 to $100,000 worth of Zune hardware and subscriptions to Groove Music, though Microsoft helpfully point out that you can use to treat yourself to as many Groove Music subscriptions as you like before they close the service down in December!

    (Mmm.... brown Zune. Also- no, not really).

  7. Teiwaz

    Going by the article pic, seems a lot of work just for a choccy bar.

    * Very drunk now....

    1. Michael Strorm Silver badge

      It's a bug bounty, which I assume is one of the poorer-selling variants.

      Personally, I prefer the milk chocolate one.

      (Ironically, your comment reminded me I had half a Bounty beside my desk, which I ate as I typed that out...)

  8. Richard Pennington 1

    If I find a bug...

    If I find a bug in your ID system, how do you know I am a security researcher? Or merely a hacker impersonating a security researcher?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like