Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Tbh it's pretty unprofessional for a security group to do what the post says SOCRadar did.
-
@RememberMe Given that Microsoft takes issue with the public release of a search tool, MS still seems to believe in "security through obscurity".
That in turn may be exactly why the group released that, because companies like MS usually don't give a shit unless thing blow up hot so that they have to get their ass up. -
@Fast-Nop to me it reads more like an irresponsible disclosure of vulnerable data. If you read the points MS objects to, it's not that the group made the search tool, but that it was done improperly ("We recommend that any security company that wants to provide a similar tool follow basic measures to enable data protection and privacy").
It also appears that the researchers exaggerated the scope of the issue (and didn't respond to followup). Both these are entirely fair game to be pissed at. Just because a security group says something doesn't make it true, publishing of such fundings should be done with verification from the affected company.
Security groups are usually pretty responsible about such things (the legit ones, not hackers). -
@RememberMe I wouldn't necessarily trust Microsoft to accurately respond because they have a conflict of interest in playing down anything bad with their booming cloud business.
For example, this here leaves slightly different impression of the situation: https://scmagazine.com/analysis/...
It also lets Microsoft's claims of erroneous attribution appear in another light. This is simply not true - it's that both sides have a different take on whether the data are in fact duplicates. -
hjk10156962y@RememberMe yeah that's a dangerous thing to do. Have seen that with Apple and Intel security issues too. Company's often downplay and try to award as little bug bounty as possible. Sometimes companies (especially MS has a history of this) takes such a long time that just releasing it to the public is the best option so at least it gets fixed instead of eventually silently exploited.
These companies have a whole marketing team involved.
Related Rants
Haha - whoever says Azure is totally fine unless people are too stupid to configure it might want to think again. Apparently, that shit is so difficult to configure securely that even Microsoft fails to do it: https://msrc-blog.microsoft.com/202...
random
azure
cloud shit
told you so