[Anon4Now]

One issue that hasn't received enough attention comes from a comment on Dave Plummer's video on the CrowdStrike outage. Dave Plummer is a former Windows engineer and runs a YouTube channel call Dave's Garage.

@zug-zug wrote:

> While this is technically what crashed machines it isn't the worst part.

> CS Falcon has a way to control the staging of updates across your environment. businesses who don't want to go out of business have a N-1 or greater staging policy and only test systems get the latest updates immediately. My work for example has a test group at N staging, a small group of noncritical systems at N-1, and the rest of our computers at N-2.

> This broken update IGNORED our staging policies and went to ALL machine at the same time. CS informed us after our business was brought down that this is by design and some updates bypass policies.

> So in the end, CS caused untold millions of dollars in damages not just because they pushed a bad update, but because they pushed an update that ignored their customers' staging policies which would have prevented this type of widespread damage. Unbelievable.

Link to video:

https://www.youtube.com/watch?v=wAzEJxOo1ts

[soneil]

I'm pretty sure this is why everything we got in the first 48 hours from CS was stressing that the issue was with a "channel file" (threat definitions, content updates, etc).

Their staged update process is for the falcon driver itself. It is not for the "channel files".

As I understand it, the driver itself is understood to be a risk, and they provide facility for an N, N-1, N-2 staged deployment to mitigate this risk.

As I understand it, channel files were not identified as a risk, and were never subject to this staged deployment.

The "sell" was that you could be running a trusted driver at N-2, but still have 0day protection from up-to-date channel files. And CS's initial feedback that the issue was not with the driver itself was CYA that they hadn't been misleading customers using such staged deployments.

[Anon4Now]

That's an important distinction. CrowdStrike probably did, in fact, CYA in the licensing terms.

[binkHN]

If this is true, this is the smoking gun that screams "negligence" from a legal standpoint and CrowdStrike's insurers will be making a lot of payouts.

[msdrigg]

Relevant to dave plummer: https://news.ycombinator.com/item?id=39813625

> Now, as to the tidbit. Dave Plummer ran a scam company that was sued by Washington State in 2006, "SoftwareOnline.com, Inc. ". He actually left Microsoft specifically to run this company.

> Court documents can be seen here: https://www.atg.wa.gov/news/news-releases/attorney-general-s... You can find David W. Plummer listed in the court complaint.

> The short of it is that it was an online software scam company that tricked people into downloading fake Anti-virus and security software using online ads, and then the software delivered additional adware and nagware onto users machines.

[chuckadams]

The term “ad hominem” gets casually thrown around quite a bit in these parts, but boy howdy this is the literal textbook case of it. Plummer’s not one of the good guys, noted. Is he factually wrong?

[TiredOfLife]

The stuff he claims on his videos are at best misleading at worst outright lies. Like his recent claim that he made the vertical text in Windows start menu render in real time instead of a bitmap. Except every version of Windows (released/beta/unreleased or even the various source code leaks) that had that type of start menu used a bitmap.

[fnordpiglet]

That was like 18 years ago and not relevant to the topic or thread. People make mistakes in life and deserve to be able to move past them.

[_zoltan_]

Almost 20 years ago. Not sure if it's relevant. certainly not to crowdstrike.

[timetraveller26]

wow I didn't expected that

That doesn't invalidate the parent comment tough

[linuxftw]

Wow, this is quite damning. I'm not sure if I was Dave I would have posted that so publicly, as there are billions at stake here.

[senectus1]

yeah this is bullshit, and when we spoke to our cyber dept about why we chose a product that allows this they said "all the top tier products do this".

I did suggest we turn off the proxy for the "air gapped" parts of the nextwork, and only turn it on when we're sure we're ready for it so the airgapped parts can get the updates they need. but seriously... since when is it acceptable to give a vendor control that YOU DONT HAVE over parts of your network.. crazy days.