top | item 41162188

(no title)

Anon4Now | 1 year ago

One issue that hasn't received enough attention comes from a comment on Dave Plummer's video on the CrowdStrike outage. Dave Plummer is a former Windows engineer and runs a YouTube channel call Dave's Garage.

@zug-zug wrote:

> While this is technically what crashed machines it isn't the worst part.

> CS Falcon has a way to control the staging of updates across your environment. businesses who don't want to go out of business have a N-1 or greater staging policy and only test systems get the latest updates immediately. My work for example has a test group at N staging, a small group of noncritical systems at N-1, and the rest of our computers at N-2.

> This broken update IGNORED our staging policies and went to ALL machine at the same time. CS informed us after our business was brought down that this is by design and some updates bypass policies.

> So in the end, CS caused untold millions of dollars in damages not just because they pushed a bad update, but because they pushed an update that ignored their customers' staging policies which would have prevented this type of widespread damage. Unbelievable.

Link to video:

https://www.youtube.com/watch?v=wAzEJxOo1ts

discuss

soneil|1 year ago

I'm pretty sure this is why everything we got in the first 48 hours from CS was stressing that the issue was with a "channel file" (threat definitions, content updates, etc).

Their staged update process is for the falcon driver itself. It is not for the "channel files".

As I understand it, the driver itself is understood to be a risk, and they provide facility for an N, N-1, N-2 staged deployment to mitigate this risk.

As I understand it, channel files were not identified as a risk, and were never subject to this staged deployment.

The "sell" was that you could be running a trusted driver at N-2, but still have 0day protection from up-to-date channel files. And CS's initial feedback that the issue was not with the driver itself was CYA that they hadn't been misleading customers using such staged deployments.

Anon4Now|1 year ago

That's an important distinction. CrowdStrike probably did, in fact, CYA in the licensing terms.

binkHN|1 year ago

If this is true, this is the smoking gun that screams "negligence" from a legal standpoint and CrowdStrike's insurers will be making a lot of payouts.

msdrigg|1 year ago

Relevant to dave plummer: https://news.ycombinator.com/item?id=39813625

> Now, as to the tidbit. Dave Plummer ran a scam company that was sued by Washington State in 2006, "SoftwareOnline.com, Inc. ". He actually left Microsoft specifically to run this company.

> Court documents can be seen here: https://www.atg.wa.gov/news/news-releases/attorney-general-s... You can find David W. Plummer listed in the court complaint.

> The short of it is that it was an online software scam company that tricked people into downloading fake Anti-virus and security software using online ads, and then the software delivered additional adware and nagware onto users machines.

chuckadams|1 year ago

The term “ad hominem” gets casually thrown around quite a bit in these parts, but boy howdy this is the literal textbook case of it. Plummer’s not one of the good guys, noted. Is he factually wrong?

fnordpiglet|1 year ago

That was like 18 years ago and not relevant to the topic or thread. People make mistakes in life and deserve to be able to move past them.

unknown|1 year ago

[deleted]

_zoltan_|1 year ago

Almost 20 years ago. Not sure if it's relevant. certainly not to crowdstrike.

unknown|1 year ago

[deleted]

timetraveller26|1 year ago

wow I didn't expected that

That doesn't invalidate the parent comment tough

linuxftw|1 year ago

Wow, this is quite damning. I'm not sure if I was Dave I would have posted that so publicly, as there are billions at stake here.

senectus1|1 year ago

yeah this is bullshit, and when we spoke to our cyber dept about why we chose a product that allows this they said "all the top tier products do this".

I did suggest we turn off the proxy for the "air gapped" parts of the nextwork, and only turn it on when we're sure we're ready for it so the airgapped parts can get the updates they need. but seriously... since when is it acceptable to give a vendor control that YOU DONT HAVE over parts of your network.. crazy days.