Isn’t Truffle Security opening themselves up to litigation from this? It’s harmless, but is the risk of having Microsoft’s army of lawyers throw CFAA at you really worth this?
These takeovers are often just a case of finding stale DNS entries that are pointed at resources which can be re-allocated by third parties, i.e. elastic IP addresses on AWS. So it's very likely that the person had legit access to that IP, not their fault MS pointed a DNS entry at it when they did not control it.
Fair. I don’t think MS would have a great case in court, assuming the court was technically competent enough to understand the situation upon hearing the case, which is not an easy thing to assume, but I also think many applications of the CFAA (including e.g. the one against Aaron Swartz) also make little more sense when you get to the nuts and bolts of what actually happened. You don’t have to be in the wrong to be bankrupted by the costs of litigation against you from a corporation like Microsoft — not in the US justice system in any case.
Maybe I’m just risk averse here. I assume most of big tech with more legal weight than they know what to do with have about a 50/50 chance of having someone upstairs greenlighting legal to throw a tantrum even if it’s not in anyone’s best interests.
Maybe if this firm demonstrated an exploit of CORS headers elsewhere open to *.microsoft.com or something, they’d be on worse footing legally.
> [...] the risk of having Microsoft’s army of lawyers throw CFAA at you [...]
Especially now that this has been on Hacker News, I don't think even Microsoft is stupid enough to go on the offensive over something like this. The bad press would be so much greater than anything they have to gain.
Exactly, most PR professionals know about the damaging effect of the Streisand effect. There are better ways to ensure this isolated incident doesn't make it to the press, and deal with the independent researchers accordingly for not going through the proper channels.