[ks1723]

I found it quite interesting, that crowdstrike actually exclude a bunch of services explicitly. They also basically say, don’t use, if it needs to be reliable. I don’t know if this is standard for software, but for me this was quite surprising.

From crowdstrike terms and services [1]: […] THERE IS NO WARRANTY THAT THE OFFERINGS OR CROWDSTRIKE TOOLS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS. THE OFFERINGS AND CROWDSTRIKE TOOLS ARE NOT FAULT-TOLERANT AND ARE NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. NEITHER THE OFFERINGS NOR CROWDSTRIKE TOOLS ARE FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY, OR PROPERTY DAMAGE. Customer agrees that it is Customer’s responsibility to ensure safe use of an Offering and the CrowdStrike Tools in such applications and installations. CROWDSTRIKE DOES NOT WARRANT ANY THIRD PARTY PRODUCTS OR SERVICES.

[1] section 8.6 of https://www.crowdstrike.com/terms-conditions/

[objclxt]

> I don’t know if this is standard for software

This is pretty standard. There is almost identical language in the Windows and macOS EULAs, for example.

[ale42]

Same for datasheets of most electronic components. The manufacturers don't want the responsibility to avoid possible multi-million lawsuits.

[SoftTalker]

So how does it get installed on all the endpoints in 911 dispatch centers?

[EvanAnderson]

Because FBI CJIS requirements, adopted by state law enforcement bodies, require it. I support a Public Safety Answering Point (PSAP, aka a 911 call center) and I push back on as many of the inane requirements as I can with compensating controls.

Example: As of right now I am still required to expire passwords every 90 days. My state is considering the current guidance from NIST but FBI CJIS policy still mandates the expirations.

[tgv]

I don't know what CJIS requirements entail precisely, but at a first glance, they seem reasonable. But it's weird that people then think they can comply by installing a product with a disclaimer against their intended use. It's just a token acknowledgment: "Yeah, we've read it, but we don't really care."

If that's also the interpretation of the courts, then each company would be invidivually liable, at least towards the government.

[hypeatei]

Holy shit I cannot stand the password expiration requirements. Like you said, NIST literally recommends against it but so many regulations require it. So aggravating.

[wrs]

Because no endpoint protection software exists that doesn’t have the same disclaimer clause. So you install this one and accept the lack of vendor liability.

(If such a thing did exist, it would cost a lot more!)

[nemonemo]

What is the alternative? Have you considered a possibility that those could be the best out there for 911 despite their imperfections?

[SoftTalker]

The data entry endpoints in a 911 dispatch center should not be running a general purpose consumer OS. They should be single purpose machines much closer to a dumb VT100 terminal than a personal computer. Maybe something like a stripped down hardened Chromebook. No internet connection. No personal email, web, or other use allowed or even possible. A product like crowdstrike should not be needed because it should not be possible to run anything but the dispatching software on those machines.

[EvanAnderson]

That's what computer aided dispatch (CAD, in the industry) software was 30 years ago (my PSAP had an AS/400). The market has rejected it. Also, see my other comment re: FBI CJIS policy.

In the PSAP I support we have three dedicated PCs at each workstation to run the CAD, phones, and radio. Each of those has a dedicated VLAN, separate physical servers and storage, separate Active Directory forest for CAD (no AD for radios or phones-- standalone PCs), and default-deny ACLs for inbound and outbound traffic on the hosts and at the borders.

A fourth dedicated PC (VLAN, ACLs, physical servers, AD environment) does email, web browsing, etc. (All of it is shackled together with a nice KVM that supports a single keyboard and mouse controlling up to 5 PCs.)

Not every PSAP does this and I think that's insane. The law and fire agencies we interface with absolutely do put a single PC on a desk (or in a cruiser) and use it for everything (and we filter and monitor the traffic coming in from them over our VPN heavily and block access at the first sign of anomalous traffic). Often their budgets don't support the notion of using dedicated computers for task-oriented work. The marketers have pushed general purpose devices for this kind of application.

In the last 5 years all three "hardened" systems we use (all companies acquired by Motorola) have started requiring Internet access for various APIs they use, and for integration with third-party vendors (mapping, public information databases, and task instructions for telecommunications). I think it's ridiculous, but I don't get to decide the direction of the product roadmaps or what the business stakeholders want from a feature perspective.

Motorola (who makes the CAD software used by some of the largest US municipalities) is pushing for hosted CAD and integrating hosted features into on-prem systems. (Of course, they have a managed security product offering that they want to sell along side it.)

[awad]

Usually the largest of companies will have their own customized T&Cs governed in their Master Services Agreement (MSA) which are often very modified versions of these publicly available ones

[sidewndr46]

My experience has been better legal counsel has the relevant terms struck before the deal is signed. In this case it would have been the terms around Aircraft and aviation

[jojobas]

There often are limits to how much your can disclaim in your T&C. If under the same terms you cause damages deliberately you'll be held liable, and obvious gross negligence can be a factor as well.

There are often 3 opinions between any 2 lawyers so we have a chance to learn the outcome many months and millions of dollars later.