On Crowdstrike
Vulnerabilities in the digital world are actually systemic. Large corporations are especially vulnerable because they don't fundamentally understand how to manage digital tech.
In the news, Crowdstrike CEO George Kurtz Tweets:
CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts. Mac and Linux hosts are not impacted. This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website. We further recommend organizations ensure they’re communicating with CrowdStrike representatives through official channels. Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.
A subscriber asks:
Q: We're you effected? (I could access my banks without a problem)
Wouldn't all IT departments make sure 'Crowdstrike' or whoever else is responsible for failures is "worked around" and never used again. Or are they "too big" for their to be an alternative?
We MUST not allow monopolistic domination to occur in ways that cause such catastrophic failures. Someone or thing screwed up. Let's find alternative and limit exposure
This isn't a mere 'power outtage!'
No, not even. I avoid Windows like the plague, and I have since 2011.
Most IT departments are like most bureaucracies. Few of them have breadth and depth, so their committees make consensus decisions. Getting money is like pulling teeth, so when they finally get to buy something they can’t build, they go blissfully along and never rethink their decision - because rethinking would mean they probably weren’t thinking properly in the first place. Especially when it comes to cybersecurity, which Crowdstrike is, it’s very much like police protection. The civilians don’t really know how to evaluate the effectiveness of what they get. They just assume that they are safe from their own foolishness.
The good news is that Crowdstrike’s market is crowded. Palo Alto Networks is the service I would choose. Sophos is good and FireEye / Mandiant is also very good. I wouldn’t trust Symantec or Cisco.
The problem here is that Crowdstrike goofed, and that goof is the vulnerability everybody has. Like when the LAPD forced everyone to use 9mm instead of .45. They push out their new versions and you don’t get a choice. What happened is that they pushed out a bad update, or they did it clumsily , maybe without testing it first. But the real problem is Windows. So here comes the complex part.
Windows is ancient and it was designed to always be backwards compatible with its old self for commercial reasons. As a consequence of this fundamental design, it uses really crappy system called the Registry which was purposefully made cryptic and clumsy to change. So any time you install new software on a Windows operating system, the configuration for it lies in several weird, separate and sometimes unaccessible places. This makes it almost impossible for independent programmers to use parts of other programs and have programs that have dependencies easily know what those dependencies are.
Well guess what. If you’re a cybersecurity company, you have to update your software all the time in response to newly discovered threats. So you have to have a special permission to get to those weird places on every machine. This is a fundamental flaw that makes Windows more vulnerable than Linux, Android, MacOS and iOS. Windows is not horrible, but it’s like a VW Bug that keeps getting updated and serviced. You can put in all the airbags and new suspension you like. That door is still only 2 inches thick and those funny little triangle vent windows are still there.
Here is the deep systemic problem that is basically impossible to address comprehensively, and it is, comprehensively how we have grown up and it’s unlikely to ever change.
Corporate America doesn't know how to hire and manage software engineers.
They sure as hell know how to hire real-estate developers, attorneys, and all other varieties of professionals I imagine they take on. But there are few departments that have been more thoroughly outsourced than those that involve programmers and systems engineers. When you think about it, this is why venture capital exists. This is why Silicon Valley exists. It is why the NASDAQ exists. The whole of the Fortune 500, outside of what we now call 'tech', is largely ignorant of the proper care and feeding of software engineering.
There are a lot of consequences for this that are too numerous and complex to get into here, but is it any surprise that Amazon sells more of a company's stuff than companies can sell themselves? The entire direct sales model of doing business has undermined customer service in America. All of the independent travel agencies are closed down.The entire model of journalism has changed. All of the independent magazines and newspapers are shrinking. Why? Because software engineers, some of them young and foolish, figured out American business models faster and better than American business figured out software models.
And if you think that's a crazy hollowing out of American business, wait until AIs actually get good. All the low hanging economic fruit in the US is being served up to Silicon Valley. That's why Crowdstrike can be mediocre.