These kinds of discussions are between corporations who have defined SLA's that specify things like reliability, uptime, etc. It's likely this outage breached this agreement so the lawyers of the companies are discussing internally and behind closed doors. This kind of thing doesn't get reported on in general.
And it might be years before the full fallout is fully litigated.
The gears of justice grind slowly but finely.
At least that’s what would happen if an experienced hacker did the same thing.
If you ignore the context of a massive company doing an oopsie daisy and a malicious hacker intentionally trying to cause the same disruption, that makes sense. Fortunately, most people are aware of the difference.
They will most likely either be sued or have financial repercussions, although there realy isn't a replqcement waiting in the wings if they went down. Plus they have had a pretty solid reputation for years, so an occasional oopsie is going to happen and as long as it doesn't happen repeatedly it is likely to be forgotten about in 6 months.
Heck, I wasn't even impacted because my work laptop was off and it was already sorted out before I turned it on that day.
If I had to guess there would be, at the very least, some businesses that used their business continuity insurance.
Those companies, after paying those claims, will probably be expecting reimbursement or preparing to sue crowdstrike to recoup those costs.
And likely Crowdstrike will have their own insurance. At the end of the day, it’s just gamblers sitting at the table, moving the chips around.
There are lawsuits: https://techcrunch.com/2024/09/02/crowdstrike-faces-onslaught-of-legal-action-from-faulty-software-update/
These things will probably take years to play out.
Well, for one, it's not known as "BSOD day" by any other customers that I know of. For two, there are contractual obligations, which prevents businesses from immediately pulling the plug and depriving them of funds, or from having knee jerk reactions, depending on your perspective. And finally, in just my own opinion, no other alternative solution provides a more compelling case for risk reduction without the same potential compromises even given the faulty deployment methodology that CS used. Sad, but true in my experience.
Needing kernel code for security sucks, don't have better options right now, encourage startups and take risks on them instead.
Sadly I’d say Cylance has a feature-complete alternative to Crowdstrike but Blackberry has done everything possible to not promote the product.
Cylance was comparable several years ago. But, as you say, Blackberry bought it. Development effectively stopped at that moment. Reported bugs were going un-triaged and the software stopped moving forwards and AV software that isn't constantly adapting becomes a security risk in itself. The two are not comparable now - CS has a lot of extra features, especially in attack monitoring and analysis.
We were Cylance customers, and we changed to Crowdstrike when our contract expired. It was the right choice at the time, as was our decision to choose Cylance before them. Turns out we have pretty crappy luck.
Yeah cylance definitely had some issues but it seems like they’ve recently been doing better in bringing features.
Another in this space is Palo Alto Networks XDR.
They have a shitload of big contracts with a great many companies across the world. Money keeps coming in.
Legal actions take time. Years. Sometimes decades.
The software, when it isn't bricking computers, is actually pretty good.
This could equally have been caused by any other software running at ring 0. That's most antivirus software and most drivers. Drivers caused BSODs all the time - the difference here is only one of scale and timing. And, as it turns out, some pretty terrible quality control, test processes and release scheduling - and that is likely to be the focus of many of the legal actions.
Your reference to a hacker is spurious - deliberate vs accidental is a major distinction. As is cause and effect - Microsoft can be seen as equally to blame for allowing software to run at ring 0 and allowing this to happen.
Need to remember that Microsoft was forced by regulators overseas to allow ring 0 third party software as part of antitrust proceedings. But the notion that antivirus software companies must be allowed to exist (instead of making the kernel infection proof) is also ridiculous
Microsoft was forced by regulators overseas to allow ring 0 third party software as part of antitrust proceedings.
Interesting - I wasn't aware of that. Gave me a few minutes of interesting googling, thanks.
Looks like some people don't agree that is an excuse.
Also worth remembering is that Crowdstrike stopped RHEL 9 machines booting in a vaguely similar update to their falcon service a few months earlier, so it's not something that is exclusive to Windows. That also needed manual intervention to get vms booting. (I dealt with that one too - but it's easier to roll back to the previous kernel with Linux and we had fewer machines that were running falcon) Not surprisingly, there was a very similar blame game played them.
I heard the argument on the link you shared before but I can't figure out what "appropriate controls" would look like. That too sounds quite hand-wavy.
Crowdstrike: If you sue us, we won't provide you with security anymore
Big companies: :(
(This is just satire)
Plenty of people are talking about how they did get sued and it’s working itself out.
If you believe that crowdstrike is a normal company doing security then the fact that most of their customers stuck with them after the event shows they’re doing something right.
If you believe crowdstrike is a natsec cutout then it won’t matter if they get sued.
Lol, Is that what they are? Are they a branch of the Us government spying on people?
I don’t feel one way or the other. Plenty of people instrumental to the company come from the natsec space though.
That’s not in and of itself damning though. Infosec people are often cops or soldiers of one kind or another because that’s where the jobs are.
I want to make the subtext text actually. When you speak with people on the internet in information security focused places you are most likely talking directly to cops and soldiers a good amount of the time and certainly in the presence of them.
According to the article, there is a question of gross negligence, which circumstance could have the effect of nullifying the contractual limitation of liability.
And anyone who knows what they're doing would have built in decent safeguards - obviously hindsight is a luxury here, but there's a reason there's a whole lot of checking that goes on when others are downloading update content over a hostile network... Input validation is a thing, and all that.
They just weren't very mature on that front, and now we all got to laugh at them but everyone else made similar mistakes along the way, just most of them started their journey decades ago (thinking windows update, etc), so we forget about the learning curve they suffered through building a resilient process
Among Boies’ wide range of high-profile clients are Theranos, Harvey Weinstein, victims of Jeffrey Epstein, and Al Gore in Bush v. Gore around the results of the 2000 presidential election. He also led the government’s antitrust case against Microsoft in the 1990s.
damn
A loosely moderated place to ask open-ended questions
If your post meets the following criteria, it's welcome here!
Looking for support?
Looking for a community?
~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~