CrowdStrike faces onslaught of legal action from faulty software update | TechCrunch
techcrunch.com
CrowdStrike faces widespread lawsuits from a faulty software update that brought down Windows machines across the world in July.

I would honestly think freezing airports, hospitals and other services for days would cause a lot of legal trouble.

At least that’s what would happen if an experienced hacker did the same thing.

  • Skull giver@popplesburger.hilciferous.nl
    1·
    4 days ago

    Presumably contracts are in place that determine SLA levels for fixes. I doubt this will go anywhere. If there are fines to be paid, those fines will have been determined by lawyers years ago, and they’re probably not very high given how people choose software like this.

    There are alternatives to CrowdStrike. All of them carry the same risk. The one companies pick depends on the golf courses/skyboxes/cruises the CEOs visit and what representatives “happen” to visit with them/offer to pay their tickets.

    What’s more, most CrowdStrike customers don’t want them to go bankrupt, or even worse, get sold to their own competitors. Suing CrowdStrike into the ground is shooting yourself in the foot. The company has to survive.

    As for the downtime itself, that’s also partially caused by companies putting all of their eggs in one basket. If the hospital decided that all computers need to have the exact same low-level monitoring solution, then it’s their own design that caused the hospital to become inoperable when their computers started crashing. There’s a reason airplane companies will hand the same spec to two different companies to make the same redundant component twice: if one fails because of a bug, the other should stay up and take over, because it’s probably not hit by the same bug. Every company that went down chose their one, single design, with their single set of critical points of failure, and lacked the redundancy necessary to keep operating.

    We can all get mad at CrowdStrike for having bugs in their kernel drivers as much as we want, and we can get mad at the lack of testing they applied to their bug-triggering definition updates, but when Iranian/Chinese/Russian hackers take over the CrowdStrike servers for a week and serve actual malware, we’re all going to be fucked unless we add the redundancy necessary to prevent this from happening again. Hopefully companies have learned from this, though I highly doubt they have.

    Companies may lay blame on CrowdStrike, but people should be mad at the companies and services that went down entirely because of one single bug.