CrowdStrike Hopes Legal Threats Will Fade As Time Passes (theregister.com) 56
CrowdStrike CFO Burt Podbere says the cybersecurity firm has not faced lawsuits over July's global IT outage. Speaking at a conference, Podbere emphasized efforts to shift customer focus from legal threats to business discussions. The Register: There were dark rumblings from Delta Air Lines last month, for example, threatening litigation over alleged gross negligence. At the time, CrowdStrike reiterated its apologies, saying: "Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party." During his time at the Citi conference, Podbere admitted: "We don't know how it's all going to shake out.
"Everything we're doing and trying to do is take the legal discussion away from our interaction with customers and move it to the business discussion. "And as time goes on, that does get easier because we're moving further away from the Sun, right? And that's how we think about it."
"Everything we're doing and trying to do is take the legal discussion away from our interaction with customers and move it to the business discussion. "And as time goes on, that does get easier because we're moving further away from the Sun, right? And that's how we think about it."
can't see how the meritless line stands up (Score:5, Insightful)
":Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party."
how can they say it is meritless, by their own admission they failed in basic security and testing, Crowdstrike when they go into organisations spruik their ability to do security better and safer than Microsoft/Linux/Apple et al. Turns out they have processes that were frowned upon even 20 years ago wtih poor testing/development and deployment practises.
Re: (Score:2)
YES. And if they do get off, it shows there's no real ability to hold corporations for software failures. That would be A Bad Thing for customers/users, even if it's the preferred result for software vendors.
Re: (Score:2, Interesting)
And if they do get off, it shows there's no real ability to hold corporations [accountable] for software failures.
The damage done far exceeds the company's ability to pay out of its cash flow. It isn't plausible to make everyone whole.
Lawsuits will burn up a huge amount of money by all the litigants, meaning everyone receives less as the costs rise and the pie shrinks.
The outcome of most lawsuits is that the lawyers win, and everyone else loses.
Re: (Score:2)
To be fair that is Crowdstrikes problem
Nope.
If I owe you ten dollars, that's my problem.
If I owe you a billion dollars, that's your problem.
Re: (Score:1)
Software license and liablity precedent to be set (Score:2)
1. How much liability does a software company have for failures it caused other companies because of errors, omissions, intended or unintended?
2. Can such actions be forced into arbitration via a software license agreement?
3. Can multi-national corporate customers jurisdiction shop and file multiple legal cases against Crowstrike?
4. Can crowdstrike legally continue to be in business and sell new licenses due to possible future insolvency?
#4 is can you sell new product, invest in new product, staff developer
Re: (Score:2)
Re: can't see how the meritless line stands up (Score:4, Insightful)
Re: (Score:2)
YES. And if they do get off, it shows there's no real ability to hold corporations for software failures. That would be A Bad Thing for customers/users, even if it's the preferred result for software vendors.
I wonder how many settlements were reached to avoid damaging trials?
Re:can't see how the meritless line stands up (Score:4)
Their customers are slowly realising, at the MBA level, that the problem isn't really at Crowdstrike's end.
Irrespective of what Crowdstrike failed at, the fact that Crowdstrike was able to simultaneously impact so many customers instantly is an indication of infrastructure shortcuts at the customer's end. And those shortcuts might be more a M$ problem I suspect.
Re: can't see how the meritless line stands up (Score:2)
Clownstroke failed at input validation.
If you do anything other than blame and mock them for that you are part of the problem
Re: (Score:2)
Whatever they failed at is kind of irrelevant though. I think that's what is finally sinking in.
Re: can't see how the meritless line stands up (Score:4, Insightful)
I think it matters a lot. This is really basic competency stuff and they want to be in charge of security, and use a direct kernel interface? Even if Microsoft did provide a reasonable API for doing what they are doing, odds are good that if they screwed up badly enough with it they could still cause severe problems with the system up to and including abnormal termination. I am happy to throw Microsoft under the same bus, but they still have to go down.
Re: (Score:2)
"Gross negligence" is the legal term that would apply here.
I think Delta was down for something like 4 days though, when it should have been 1 day if they had any kind of contingency plan. So they might end up getting a quarter of whatever they ask for. And I think they will ask.
Re: (Score:2)
I agree that Delta's problem was obviously partly of their own making, and that this limits what they can reasonably ask for.
On the other hand, Cloudstrike's promise was to improve uptime by catching threats, and their salesdroids may well have made promises to Delta that their product couldn't back up. I mean, that's what they do, right? What Delta has in writing is going to matter a whole lot.
Re: (Score:2)
Yes, there is negligence. But it ain't Crowdstrike's negligence that allowed them the free roaming.
Re: (Score:2)
In general, I agree, but the problem is whenever a company goes down, there's lots of collateral damage to employees who had no connection to the failure. Ideally, only the C-suite would be personally affected and, in this case, additionally the QA manager and responsible tech lead.
Re: (Score:2)
In general, I agree, but the problem is whenever a company goes down, there's lots of collateral damage to employees who had no connection to the failure.
That's true, but it's an argument for UBI, not against holding corporations accountable for the actions of the execs.
Ideally, only the C-suite would be personally affected and, in this case, additionally the QA manager and responsible tech lead.
You had me at affected. The leadership should be held personally financially accountable. They get the bulk of the rewards, they should take the bulk of the risk.
Re: (Score:2)
Re: (Score:2)
I think it matters a lot. This is really basic competency stuff and they want to be in charge of security
The reality that should be sinking in is you CANNOT safely trust one entity with your security.
Deploying a piece of generic remote Auto-self-updating software to All your endpoints whose update process is outside-controlled, and has significant privileges and ability to affect their operation is a massive risk for critical infrastructure.
Re: can't see how the meritless line stands up (Score:2)
While what you say makes sense, how else are you going to crowdsource threat response?
Re: (Score:3)
My understanding is that CrowdStrike has (among others) a rollout process specifically designed to address immediate active threats. This rollout is ultimately owned by CrowdStrike as part of their product.
The problem is that they didn't have a testing process even close to being commensurate with that extreme of a rollout -- "roll out everywhere now!" is incredibly dangerous, even (especially!) for updates that are only "configuration", and while they did have some automated testing those tests didn't incl
Re: (Score:2)
That's not their job though is it. The customers should be validating their own deployments.
Re: (Score:2)
Re: (Score:2)
Their software is irrelevant to the problem at hand though. Crowdstrike aren't the ones behaving irresponsibly here.
The testing has to be done by each customer, individually. The customers are the irresponsible actors, and they know it.
Re: can't see how the meritless line stands up (Score:2)
Yes, it absolutely 100% is their job. Why? Because these rapid updates are an advertised feature of their product. Their business is based around detecting threats across multiple organizations and deploying rapid updates to those organizations to protect them before they are infected. If you're waiting to do your own validation then you're giving up one of the primary benefits of the software, rapid response.
As it turns out, they are grossly negligent, not actually doing that testing nor building features
Re: can't see how the meritless line stands up (Score:2)
They didn't do exactly the same thing on Linux.
The Windows problem prevented boot, so it couldn't be fixed remotely.
The Linux problems caused a kernel panic after a few minutes, so it could.
On Linux they use eBPF and on Windows they don't. This may account for the difference. A problem this severe might well not be able to occur on Linux as a result.
There is eBPF on Windows as well, but they don't use it. it's been suggested that this is because it's not mature on Windows, where it has been offered for a mu
Re: (Score:2)
Re: (Score:2)
Their customers are slowly realising, at the MBA level, that the problem isn't really at Crowdstrike's end.
Irrespective of what Crowdstrike failed at, the fact that Crowdstrike was able to simultaneously impact so many customers instantly is an indication of infrastructure shortcuts at the customer's end. And those shortcuts might be more a M$ problem I suspect.
The problem, when analyzed from a distance, shows potential issues throughout every aspect of deployment for those affected. But, there are trust issues that shouldn't exist, but do.
1. The business world has been taught to trust Microsoft. Now, those of us involved in tech have known better than that for a long time, but how many of us can convince the beancounters and the C suites that there are safer alternatives? Not a god damned one of us. It's a "at least everybody else trusts them, so I should too" th
Re: (Score:2)
They also failed basic software engineering. Only an utter incompetent does not validate all assumptions about the input.
Re: (Score:2)
I completely concur. They should have a bank of all the potential target system types with common software installs, probably virtualized (though bare metal isn't a bad idea either, at least in some use cases) and distribute their update, then verify operation, before they push out to the world. It's not foolproof but it's a great defense against a gross negligence claim. As it stands, they have their pants down, ready to be fucked, whatever their lawyers think of their disclaimers and EULAs.
Re: (Score:2)
how can they say it is meritless, by their own admission they failed in basic security and testing
It's Public posturing on CrowdStrike's part. Defense lawyers almost ALWAYS assert that claims made against them are meritless. In their eyes I'm sure it's meritless, due to CS only being responsible for their software - not damages due to system failures, or such arguments as warranty terms state that may state there is no warranty.
Re: (Score:1)
Wishful thinking. (Score:2)
Yes, I also hope all my problems will go away if I just ignore them.
Hope is not a legit strategy, or tactic. (Score:2)
Hope isn't something to be building strategy or tactics on.
"Hope for the best, prepare for the worst."
So.. rig for the worst. Lawyer up. And hope, for your sake, that discovery doesn't find untoward things.. and the top-floor execs may consider starting to pack parachutes, if they haven't already.
trust and customers too (Score:2)
Legal threats, trust, customers, CrowdStrike does not need any of those.
You don't get to crash customers businesses (Score:3)
Re:You don't get to crash customers businesses (Score:4, Insightful)
Not for much longer. The economic damage these cretins are doing is getting larger and larger.
That's some mighty fine wishful thinking there (Score:2)
Translation: (Score:1)
"We're going to the Dark Side"
Once again, a translation from Bizspeak to English (Score:4, Insightful)
"Public posturing about potentially bringing a meritless lawsuit against CrowdStrike as a long-time partner is not constructive to any party," according to CrowdStrike's CFO. This may be true. However, a lawsuit against CrowdStrike by an aggrieved partner might very well prove its merit by helping said partner recover from damage caused by CrowdStrike's defective software update. Hitting these vultures hard where it hurts, right square in the bottom line, might have the added bonus of encouraging other corporations inclined to abuse their clients' trust to exercise a bit more caution.
As extremely as they have screwed up... (Score:5, Insightful)
There really is only one choice: Leave them behind. Whether there is a possibility to get compensation for negligence that could not get much more gross is a question for the lawyers. For the engineers blacklisting crowdstrike is the only sane choice.
They screwed up, period (Score:2)
Windows shouldn't exist in its current state of duct-tape-and-bubblegum, and neither should crowdstrike. They need to return to the drawing board and figure
The new dogma is broken and needs to die (Score:2)
The dogma I'm referring to is the notion that security and management settings in Windows can be applied without rebooting the Windows system. This should never have become dogma, and it needs to end yesterday. It leads to lazy decision making as admins and programmers are left thinking that their changes "aren't that big of a deal". This has all kinds of disastrous downstream consequen