this post was submitted on 01 Aug 2024
326 points (99.1% liked)

Technology

59589 readers
3332 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 31 comments
sorted by: hot top controversial new old
[–] blazera@lemmy.world 102 points 3 months ago (4 children)

Everytime cases like this pop up all I can think of is all the times people have justified investors making so much money because of the risks they take. But whenever that gamble is a loss they pull this shit

[–] circuscritic@lemmy.ca 31 points 3 months ago* (last edited 3 months ago) (1 children)

What I'm about to say is coming directly from my own asshole, so if someone actually knows what they're talking about cares to explain why I'm wrong, I'm open to hearing it.

This feels like an attempt to try extract as much capital as possible before other civil lawsuits and/or regulatory actions are able to do to the same.

[–] barsquid@lemmy.world 7 points 3 months ago

It certainly is, everyone is queuing up.

[–] HauntedCupcake@lemmy.world 14 points 3 months ago (1 children)

If the CEO was lying to the investors that's akin to being lied to about the odds of a slot machine. It should totally be prosecutable.

At the same time I don't feel sorry for them, and think they should be last in line after all the other victims

[–] NotMyOldRedditName@lemmy.world 1 points 3 months ago

I was under the impression investors would be behind the 3rd parties hurt by this? Is that not how things work?

Also, retail investors are usually on the bottom behind institutional investors who can afford to big lawyers.

[–] cmhe@lemmy.world 9 points 3 months ago

That is how capitalism works, privatize earning and nationalize losses.

Capitalism needs the deep pockets of the government to not collapse into itself.

[–] barsquid@lemmy.world 6 points 3 months ago

I'm perfectly fine with it if they want to sue the company but I don't want these assholes to be bailed out by the government like SVB bullshit.

[–] DirigibleProtein@aussie.zone 74 points 3 months ago

Just give them a $10 Uber Eats card!

[–] cbarrick@lemmy.world 46 points 3 months ago (3 children)

[S]hareholders said they learned that CrowdStrike’s assurances about its technology were materially false and misleading when a flawed software update disrupted airlines, banks, hospitals and emergency lines around the world.

I don't see how they can make this argument.

Falcon is a kernel module. When kernel modules fuck up, you get kernel panics.

Sure, the layperson may not know enough about computers to recognize this, but it's a basic enough fact about operating systems that an investor in a company like this should take the time to learn. It's not like they hid that fact.

If you invested in a company without knowing how their product works, that's on you.

[–] thesmokingman@programming.dev 21 points 3 months ago (2 children)

You highlighted the wrong portion of this article.

The complaint cites statements including from a March 5 conference call where Kurtz characterized CrowdStrike’s software as “validated, tested and certified.”

If the CEO is making claims that the software is tested and certified, then the CEO should be able to prove that claim, no matter where the software lives. It is very reasonable to say, at face value, the CrowdStrike testing pipeline was inadequate. There is a remote possibility that there were mitigating factors, eg some other common software update released right before from another vendor that contributed; given CrowdStrike’s assurances and understanding of where it falls in most supply chains I consider that to be bullshit. I personally haven’t seen anything convincing that shows a strong and robust CI pipeline magically releasing this issue.

Now shareholder lawsuits are bullshit in general and, as someone constantly pushed to release without fucking any confidence, I think it’s really fucking dumb to ever believe any software passes any inspection until you have actually looked at the CI/CD process in-depth.

[–] kevindqc@lemmy.world 12 points 3 months ago* (last edited 3 months ago)

I mean it was true. It's just that here was a bug with the automated testing software that let the bogus file go through.

They could have shown their testing/certification pipeline to investors, but it wouldn't have changed anything unless investors would have somehow been able to figure out there was a bug in what they showed them.

[–] ArgentRaven@lemmy.world 6 points 3 months ago (2 children)

To add to that, I very much doubt any big company tests and verifies anything anymore.

Boeing ships planes with missing bolts and proper software, Crowdstrike pushes updates with no testing, we've all seen Microsoft push updates that break stuff because there's no testing, and that's just what comes to mind.

That's how they maximize profits - get rid of testing environments, do minimal checks, and have the one guy doing 3 jobs at once just push it to production.

I've been in IT for the banking industry for over a decade and I promise you, we're all a missed cup of coffee or a comma away from another massive outage due to a program or network misconfig.

As long as business culture is set to maximize profits for one quarter, I wouldn't trust a sales website about "verification" or "disaster recovery backups" any more than I trust a used car salesman.

That goes for Crowdstrike, but also all of their competitors.

[–] thesmokingman@programming.dev 4 points 3 months ago

I’ve got friends at Boeing on DoD contracts. Not only is it waterfall, it gets tested hardcore. My experience in private industry is the exact opposite. A consultancy I know of just lost (pretty sure) a state contract because they opened shit up to the public because, surprise surprise, they didn’t test their infra changes.

Now I will say that when I have had to manage client SLAs and there is a cost to post-release defects and change requests, testing increases. Not to the level I’m super comfortable with (which is well below perfect, mind you; I like shipping more than once in a lifetime), but a bit more.

[–] mosiacmango@lemm.ee 3 points 3 months ago* (last edited 3 months ago)

The CTO of a competitor, Sentinel one, was just on the security podcast Risky buisness. He went deep into how his company does this.

Apprently, their client touches the kernel much less, so it is less likely to cause issues. They also have a large internal test bed that updates have to pass to go out at all, and then if they have a 2% failure rate during the wide deployment, the update is automatically stopped.

Crowdstrike does almost none of this. There core client is deep in the kernel, making it powerful and dangerous. They apprently do test on their local machines, but the company is an apple shop, so none of the windows updates was tested locally. The updates pushed out started crashing computers immediately, but weren't stopped for 78 minutes by manual intervention. That was long enough to crash 8 million computers across the world.

[–] mosiacmango@lemm.ee 10 points 3 months ago* (last edited 3 months ago)

There are kernel modules, and then there are kernel modules.

Based on conversations from the CTO of sentinel one, a crowdsrike competitor, the crowdstrike client is intentionally engineered with a lot of and way deeper hooks then most of the industry. This makes their engine powerful and very dangerous. The other vendors in the space touch the kernel as little as possible, moving everything they can into userspace to minimize any possible damage.

The fact that crowdstrike was fully in the kernel and then running basically no tests while deploying updates is the reckless fuck up.

[–] naonintendois@programming.dev 3 points 3 months ago

You would be surprised at how little investors know about the things they invest in. They only look at the money flow. The case will likely go nowhere though since a small gap in processes isn't the same as a complete lack of processes that the lawsuit is implying.

[–] hagelslager@feddit.nl 20 points 3 months ago (2 children)

I hold no love for investors (even though pension funds rely on them, as shown by the lead plaintiff), but this seems pretty warranted if the company makes claims which are contrary to reality.

[–] sunzu@kbin.run 2 points 3 months ago

even though pension funds rely on them, as shown by the lead plaintiff)

Bro. Pension fund is an investor category. A major one after owner class.

[–] daddy32@lemmy.world -1 points 3 months ago

This is called "securities fraud" and I think this would be a straightforward case.

[–] YeetPics@mander.xyz 14 points 3 months ago* (last edited 3 months ago) (2 children)

Why should shareholders get to sue anybody?

They invested and supported a company that caused this. They didn't do their due diligence and made bad investments based solely off what they were told they could financially GAIN.

This is not the ideal outcome of investing, and it is entirely their own fault.

I'd like to sue the shareholders for enabling such malfeasance. A class action suit with several billion cosigners. Fuck these leeches.

[–] LodeMike@lemmy.today 21 points 3 months ago (2 children)

Because companies have a feduciary duty to their shareholders and this is how it's enforced.

[–] chaospatterns@lemmy.world 4 points 3 months ago* (last edited 3 months ago) (1 children)

Yes fiduciary duty to the shareholder is sometimes misunderstood but this is in scope.

Everything can be securities fraud:

https://archive.is/p2YHV

Or:

https://www.bloomberg.com/opinion/articles/2019-06-26/everything-everywhere-is-securities-fraud

[–] LodeMike@lemmy.today 1 points 3 months ago
[–] Prethoryn@lemmy.world 3 points 3 months ago (1 children)

Literally, you invest on good the idea a company will operate within your interests. This going as south as it did was the opposite of the interests of investors. They have a right the same as companies using the the product.

[–] LodeMike@lemmy.today 5 points 3 months ago

Allowing that is a great way to legalize stealing investor money.

If the company fails the investors get nothing, but it still has a feduciary duty to them.

[–] MirthfulAlembic@lemmy.world 6 points 3 months ago

The shareholders in question suing are a public employee retirement fund. I wouldn't exactly consider retired sanitation workers and bureaucrats societal leeches, but to each their own I guess.

[–] Prethoryn@lemmy.world 12 points 3 months ago

This just in Lemmy users don't understand that investors are people with rights as well.

[–] catch22@programming.dev 9 points 3 months ago* (last edited 3 months ago)

Between airliners crashing and financial and public infrastructure being taken down by security flaws I wonder how many trillions of lost dollars and lives being lost it will take before critical software like this is held to a higher standard. Even though it's just as important as the development team that writes the code, QA and a software dev process are still treated as unimportant and something you do only if you have the time to do it.

[–] beerclue@lemmy.world 4 points 3 months ago (1 children)

And yet, they are hiring. Job openings popping up on LinkedIn... Who would apply?

[–] Hasherm0n@lemmy.world 2 points 3 months ago

I almost did before the outage. Their pay was pretty low compared to similar positions at other companies though.

[–] KingThrillgore@lemmy.ml 2 points 3 months ago

CEO resigns in 3...2...