this post was submitted on 22 Jul 2024
579 points (97.5% liked)

Technology

58083 readers
3123 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world
579
CrowdStrike broke Debian and Rocky Linux months ago, but no one noticed (www.neowin.net)
submitted 1 month ago by hal_5700X@sh.itjust.works to c/technology@lemmy.world
83 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] viking@infosec.pub 162 points 1 month ago (2 children)

To avoid such issues in the future, CrowdStrike should prioritize rigorous testing across all supported configurations.

Bold of them to assume there's a future after a gazillion off incoming lawsuits.

[–] finley@lemm.ee 78 points 1 month ago* (last edited 1 month ago) (3 children)

I was listening to a podcast earlier, and they mentioned the fact that their legal liability may, in fact, be limited because of specific wording in most of their contracts.

In other words, they may actually get away with this in the short term. In the long-term, however, a lot of organizations and governments that were hit by this will be reevaluating their reliance on such monolithic tech solutions as crowdstrike, and even Microsoft.

So you may be right, but not for the reasons you think.

[–] rumschlumpel 87 points 1 month ago (2 children)

and even Microsoft

(x) doubt

They had decades to consider Microsoft a liability. Why start doing something about it now?

[–] catloaf@lemm.ee 21 points 1 month ago (2 children)

Because cybersecurity is becoming more of a priority. The US government has really put their attention on it in the last few years.

[–] Tinidril@midwest.social 32 points 1 month ago* (last edited 1 month ago) (1 children)

I was in IT back in 2001 when the Code Red virus hit. It was a very similar situation where entire enterprises in totally unrelated fields were brought down. So many infected machines were still trying to replicate that corporate networks and Internet backbone routers were getting absolutely crushed.

Prior to that, trying to get real funding for securing networks was almost impossible. Suddenly security was the hottest topic in IT and corporations were throwing money at all the snake oil Silicon Valley could produce.

That lasted for a couple years, then things started going back to business as usual. Microsoft in particular was making all sorts of promises and boasts about how they made security their top priority, but that never really happened. Security remained something slapped on at the end of product development and was never allowed to interfere with producing products demanded by marketing with inherently insecure designs.

[–] xyguy@startrek.website 14 points 1 month ago

You're absolutely right. Everyone will be very worried and talk about the importance of security in the enterprise and yada yada yada until a cool new AI spreadsheet software comes out and everybody forgets to even check if their firewall is turned on.

But with that being said, if you have been looking for a good time to ask for cybersecuity funding at your org, see if you can't lock down 5 years worth of budget while everyone is aware of the risk to their businesses.

[–] Maeve@kbin.earth 3 points 1 month ago

Hard to tell, sometimes.

[–] Maeve@kbin.earth 3 points 1 month ago

Literally lol'd. Thanks for that!

[–] Brkdncr@lemmy.world 12 points 1 month ago

Contracts aren’t set in stone. Not only are those contracts modified before they are accepted by both parties, it’s difficult to limit liability when negligence is involved. CS is at worst going to be defending against those, at best defending against people dumping them ahead of schedule against their contracted term length.

[–] TheBat@lemmy.world -2 points 1 month ago (1 children)

Oh so you can fire QA department, get absolutely destructive update to millions of systems across the globe and this gross negligence doesn't matter because of magic words in a contract? I don't think so.

[–] finley@lemm.ee 4 points 1 month ago* (last edited 1 month ago) (1 children)

That’s not what I said

[–] TheBat@lemmy.world 1 points 1 month ago

Then how else is their legal liability is limited?

They killed off their QA department to chase profits which resulted in a broken product that crippled hundreds of organizations across the globe.

They don't get to just shrug, say oopsie, and point at the contract.

[–] mipadaitu@lemmy.world 35 points 1 month ago (3 children)

They mean after Crowdstrike gets sold, the new company promises a more rigorous QA, and quietly rebrands it.

[–] captain_aggravated@sh.itjust.works 22 points 1 month ago

Slorp is now Bonto!

[–] bitchkat@lemmy.world 7 points 1 month ago

I think you mean after they sell their assets to a new company. Leave the lawsuits with the old company who will shut down.

[–] Default_Defect@midwest.social 6 points 1 month ago (1 children)

Cloudstrike, wait no!

[–] derpgon@programming.dev 7 points 1 month ago

What are you doing Counterstrike