CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft - eviltoast
  • Technus@lemmy.zip
    link
    fedilink
    English
    arrow-up
    203
    ·
    4 months ago

    No validation, in the driver or the updater software.

    No validation or automated testing on publish.

    No staged rollouts.

    Just utterly irresponsible all around.

    • demizerone@lemmy.world
      link
      fedilink
      English
      arrow-up
      83
      ·
      edit-2
      4 months ago

      When I worked there six years ago, the company motto was “two feet on the gas pedal” because the CEO was a race car driver. I bailed after 10 months, giving up pre IPO shares. The management for my team was non existent, and I was on the build and release team. People were doing releases of manually. They’ve improved the automation some from what I here, but looks like the motto finally hit them.

      I should also say their metrics were absolutely staggering. The log aggregator was doing something like 2 trillion requests a week. All backed by splunk. I never heard what they were paying, but it must have been fucking nuts.

      • Rediphile@lemmy.ca
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        4 months ago

        Race car drivers definitely don’t put both feet on the gas pedal though… Like, what?

      • prole@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        4 months ago

        The unfortunate thing is that, in the long run, that strategy will probably be super effective. Unless Europe (with the only internet regulations that actually have teeth) does something harsh enough, they will probably pay a few small fines over this at most. Cost of doing business and probably baked in already.

    • boatswain@infosec.pub
      link
      fedilink
      English
      arrow-up
      46
      ·
      4 months ago

      A coworker of mine has worked with CrowdStrike in the past; I haven’t. He said that the releases he was familiar with from them in the past were all staged into groups and customers were encouraged to test internally before applying them; not sure if this is a different product or what, but it seems like a big step backwards of what he’s saying is right.

      • ramble81@lemm.ee
        link
        fedilink
        English
        arrow-up
        52
        ·
        edit-2
        4 months ago

        I first dealt with them at least 10+ years ago and at the time they had no ability to do staged roll outs or targeted roll outs. We got updates when they said we did, no choice or control. We had to resort to updating our firewall to restrict the download endpoint and only open it in groups to do a phased update.

      • SupraMario@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        4 months ago

        Channel files are different from sensor updates, which you have no control over for version control. Sensor releases you have control over.

    • Suzune@ani.social
      link
      fedilink
      English
      arrow-up
      45
      arrow-down
      6
      ·
      4 months ago

      The idea of “security software” is ridiculous overall. You buy a software to fix security problems in Windows and it violates the original product by inserting code into kernel code. You lose support by the original product vendor. And you think you’re secure, even the whole stuff makes you forget that IT should be always fit in solving security/restorability problems even when everything else fails.

    • 0x0@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      No staged rollouts.

      I read somewhere that CS does allow for staged rollouts but some updates deliberately ignore them.