You can't patch stupid
Uploading the hash apparently is the default. Someone turned it on.
The warning about what can happen if you turn on full binary upload is pretty explicit from what the Carbon Black blog showed. And if you throw stones in public with Irresponsible Disclosure...
DirectDefense probably should work on their own email security configuration:
"v=spf1 include:spf.protection.outlook.com include:aspmx.pardot.com -all"
equates to 379,653 IP addresses authorized to send email using their domain. Mass-email marketer and all Office 365 users. Not to worry, though. They've got it handled with DMARC:
_dmarc.directdefense.com: Non-existent domain
Good job on implementing DNSSEC to protect your customers and visitors from DNS spoofing as well:
Domain Name: DIRECTDEFENSE.COM
Name Server: NS55.DOMAINCONTROL.COM
Name Server: NS56.DOMAINCONTROL.COM
DNSSEC: unsigned
15 out of 100 is good, right? https://observatory.mozilla.org/analyze.html?host=www.directdefense.com
No, I do not work for either company nor have I ever done so. I simply don't like people who needlessly endanger others just to prove how smart they are. The real victims are the companies whose data was just put at risk because DirectDefense decided to go public first. I hope they just lost themselves some customers with that move.
At least some company named DirectDefense isn't being used as a reference for Cylance, a competitor of Carbon Black, or anything similar: https://www.cylance.com/cylanceprotect-achieves-hipaa-security-rule-compliance-certification
"The certification is made by DirectDefense, a leading provider of HIPAA/HITECH security assessment services to industries, such as healthcare and insurance, that process, store or transmit electronic protected health information (EPHI)."
Wait, what?
https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html?language=es
"It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."
My opinion is the same as yours. "Snakeoil" hit it right on the head. They're all slimy in their own way.