[tha0x5]

I still don't understand how things like this can happen at companies of that size.

There are so many great tools (that MS can buy) and procedures (that they could have implemented decades ago) to prevent this garbage from happening in 2020, and it still happens every day.

[eezurr]

Because at the end of the day, security is run by humans, who are imperfect and variant day to day. And also, the software used was likely programmed by one developer, and used by another. The user does not have the same depth as the developer, and did not assign specific byte-code definitions to the text option list. Thus the text interpretation is imperfect.

[DarthGhandi]

This is true and it's the unstoppable nature of complex systems and the myriad of people responsible for them.

That said, this line from the article is pretty damning, it took them 3 days to lock down that insecure server. For a company that size with all those security employees it looks both lazy and negligent.

> The infosec firm reported the problem to Microsoft on 13 September, and the database was vanished from public view by the Windows giant's security response centre on 16 September.

[tha0x5]

That's why you have process in place with standards. You should be able to know nothing but still fail safely.

[radicaldreamer]

No real consequences, so no incentive to change

[tha0x5]

Even if there are no direct consequences, surely it's bad PR which may make someone choose GCP over Azure, or GitHub over AZ DevOps, etc.

[RL_Quine]

It's not though. Literally nobody cares.

One leak is a disaster, a massive leak every day is just, a non event.

[tha0x5]

If that was true then it wouldn't be news, nor at the top of HackerNews.

[xnyan]

Top of hacker news is a pretty low bar. Do you really think that significant purchasing decisions are going to be influenced by this? That’s not a snarky rhetorical question, I’m actually asking.

I ask because I can tell you for a fact that at my large enterprise, they will not be. If anything, this incident will be used as an example by those looking for cover. “if an org like Microsoft can make this mistake, you really have no justification for being mad at our department for a similar leak.”

[tha0x5]

>Top of hacker news is a pretty low bar.

Not really, it means people do care, which is opposite of the original claim.

>Do you really think that significant purchasing decisions are going to be influenced by this? That’s not a snarky rhetorical question, I’m actually asking.

Not sure honestly. Even if it's a series of small, insignificant purchaso decisions, it can still amount to something significant.

>I ask because I can tell you for a fact that at my large enterprise, they will not be. If anything, this incident will be used as an example by those looking for cover. “if an org like Microsoft can make this mistake, you really have no justification for being mad at our department for a similar leak.”

That sounds like an insanely toxic environment. This is illogic that you can apply to everything: "well, if Microsoft can get by with cooking the books and violating customer's privacy, so can we."

I think more people would think: "if this is how they handle customer search data, imagine how terribly they handle data elsewhere."

[api]

> I still don't understand how things like this can happen at companies of that size.

The answer is right there in the question: companies of that size.

[tha0x5]

This is something I'd expect from a smaller company full of all those "full stack engineers".

The Matrix.org hack comes to mind.