• viking@infosec.pub
    link
    fedilink
    English
    arrow-up
    130
    arrow-down
    2
    ·
    4 months ago

    To avoid such issues in the future, CrowdStrike should prioritize rigorous testing across all supported configurations.

    Bold of them to assume there’s a future after a gazillion off incoming lawsuits.

    • finley@lemm.ee
      link
      fedilink
      English
      arrow-up
      66
      arrow-down
      4
      ·
      edit-2
      4 months ago

      I was listening to a podcast earlier, and they mentioned the fact that their legal liability may, in fact, be limited because of specific wording in most of their contracts.

      In other words, they may actually get away with this in the short term. In the long-term, however, a lot of organizations and governments that were hit by this will be reevaluating their reliance on such monolithic tech solutions as crowdstrike, and even Microsoft.

      So you may be right, but not for the reasons you think.

      • rumschlumpel@feddit.org
        link
        fedilink
        English
        arrow-up
        64
        ·
        4 months ago

        and even Microsoft

        (x) doubt

        They had decades to consider Microsoft a liability. Why start doing something about it now?

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          20
          arrow-down
          2
          ·
          4 months ago

          Because cybersecurity is becoming more of a priority. The US government has really put their attention on it in the last few years.

          • Tinidril@midwest.social
            link
            fedilink
            English
            arrow-up
            17
            ·
            edit-2
            4 months ago

            I was in IT back in 2001 when the Code Red virus hit. It was a very similar situation where entire enterprises in totally unrelated fields were brought down. So many infected machines were still trying to replicate that corporate networks and Internet backbone routers were getting absolutely crushed.

            Prior to that, trying to get real funding for securing networks was almost impossible. Suddenly security was the hottest topic in IT and corporations were throwing money at all the snake oil Silicon Valley could produce.

            That lasted for a couple years, then things started going back to business as usual. Microsoft in particular was making all sorts of promises and boasts about how they made security their top priority, but that never really happened. Security remained something slapped on at the end of product development and was never allowed to interfere with producing products demanded by marketing with inherently insecure designs.

            • xyguy@startrek.website
              link
              fedilink
              English
              arrow-up
              10
              ·
              4 months ago

              You’re absolutely right. Everyone will be very worried and talk about the importance of security in the enterprise and yada yada yada until a cool new AI spreadsheet software comes out and everybody forgets to even check if their firewall is turned on.

              But with that being said, if you have been looking for a good time to ask for cybersecuity funding at your org, see if you can’t lock down 5 years worth of budget while everyone is aware of the risk to their businesses.

      • Brkdncr@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        arrow-down
        1
        ·
        4 months ago

        Contracts aren’t set in stone. Not only are those contracts modified before they are accepted by both parties, it’s difficult to limit liability when negligence is involved. CS is at worst going to be defending against those, at best defending against people dumping them ahead of schedule against their contracted term length.

      • This is fine🔥🐶☕🔥@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        4 months ago

        Oh so you can fire QA department, get absolutely destructive update to millions of systems across the globe and this gross negligence doesn’t matter because of magic words in a contract? I don’t think so.

          • This is fine🔥🐶☕🔥@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            4 months ago

            Then how else is their legal liability is limited?

            They killed off their QA department to chase profits which resulted in a broken product that crippled hundreds of organizations across the globe.

            They don’t get to just shrug, say oopsie, and point at the contract.

    • mipadaitu@lemmy.world
      link
      fedilink
      English
      arrow-up
      25
      ·
      4 months ago

      They mean after Crowdstrike gets sold, the new company promises a more rigorous QA, and quietly rebrands it.

  • quinkin@lemmy.world
    link
    fedilink
    English
    arrow-up
    74
    ·
    4 months ago

    Additionally, organizations should approach CrowdStrike updates with caution

    We would if we were able to control their “deployable content”.

    • ganymede@lemmy.ml
      link
      fedilink
      English
      arrow-up
      58
      arrow-down
      12
      ·
      4 months ago

      not sure if you’re being sarcastic, but if anything this news paints linux deployment in an even better light.

      • 𝙲𝚑𝚊𝚒𝚛𝚖𝚊𝚗 𝙼𝚎𝚘𝚠@programming.dev
        link
        fedilink
        English
        arrow-up
        52
        arrow-down
        7
        ·
        4 months ago

        Nah, but there were some Linux evangelists claiming this couldn’t possibly happen to Linux and it only happened to Windows because Windows is bad. And it was your own fault for getting this BSOD if you’re still running Windows.

        And sure, Windows bad and all, but this one wasn’t really Microsofts fault.

        • rottingleaf@lemmy.world
          link
          fedilink
          English
          arrow-up
          11
          arrow-down
          3
          ·
          edit-2
          4 months ago

          The sane ones of us know well that a faulty driver is a faulty driver, but! Linux culture is different. Which is why this happened so spectacularly with Windows. EDIT: and not with Linux

          • vext01@lemmy.sdf.org
            link
            fedilink
            English
            arrow-up
            11
            ·
            4 months ago

            Yeah, it supports kernel modules, so is also vulnerable to bad third party kernel code.

        • Ferris@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          4
          ·
          4 months ago

          if they dont know the boot sequence is a thing maybe their opinion on this doesnt really matter 🤷🏼

  • BurnSquirrel@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    ·
    4 months ago

    Companies don’t really use Debian or Rocky in widescale production because they have no support.

    Now red hat or ubuntu is a different matter.

    Honestly though this does point out that this is a pattern of behavior on crowdstrikes part. This should have been the canary in the coalmine.

    • lud@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      4 months ago

      We actually use rocky and I think Debian at work for servers. We are currently migrating away from EOL centos .

  • NutWrench@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    4 months ago

    In April, a CrowdStrike update caused all Debian Linux servers in a civic tech lab to crash simultaneously and refuse to boot.

    And then, you boot their servers from a Linux Live USB, run TimeShift to restore the last system snapshot, refuse the latest patch from Cloudstrike and they all lived happily ever after.

    • kevindqc@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      4 months ago

      So who do you think hacked the DNC and got their emails, then? Is it the same people who hacked the RNC but didn’t leak the emails? What makes you more qualified than CrowdStrike on this?

      • StaySquared@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        4 months ago

        U.S. intelligence officials cannot make definitive conclusions about the hacking of the Democratic National Committee computer servers because they did not analyze those servers themselves. Instead, they relied on the forensics of CrowdStrike, a private contractor for the DNC that was not a neutral party, much as “Russian dossier” compiler Christopher Steele, also a DNC contractor, was not a neutral party. This puts two Democrat-hired contractors squarely behind underlying allegations in the affair – a key circumstance that Mueller ignores.

  • Vilian@lemmy.ca
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    3
    ·
    4 months ago

    Because Linux sysadmins know to test a fucking update before applying to the whole company