UAB computer forensic expert discusses CrowdStrike disruption

Somebody did not do diligent testing. Pushing untested updates is extremely bad.

9:04 Nah, as a software dev, I respectfully disagree. Deploying patches without testing them beforehand has a much higher risk than delaying them a few minutes for testing - especially when we're dealing with kernel-space apps.
Actually I'd do several layers of QA / quality gates before deploying anything.
And if speed is the issue, as a rule of thumb, the development phase is expected to take considerably longer than the QA testing.
At least customers should be allowed to configure if they perfer new and untested patches to slightly delayed but tested patches.

The last questions regarding what could be done should be asked of a Software Engineering professor instead. Software developers know it is not time consuming to test a software update - actually, tests should be fully automated. Something went really wrong at Crowdstrike.

Still don’t understand why large enterprises don’t test this update, even if it is daily. Because it hardly takes any time at all, and can prevent a lot of problems and damage. Not sure if this software allows for a delayed rollout of updates, if I understand correctly every agent on every single pc and server can be updated without intervention from the IT department.
This is strange considering the fact this software is mainly used in enterprise environments where development, test and production environments are separated. In this case they should have just installed the update on one machine to find out it was broken. A job that would take a few minutes at most. Obviously that doesn’t include testing all applications running in the enterprise.

That delay in testing and deploying the update in a controlled or development environment should not be a factor because it is the standard practice for software update. You do not just roll out something this impactful without prior testing.
This begs the question, what was the actual purpose of the corrupted update anyway?

Zero-day threats pose a conundrum because the response really needs to be tested thoroughly ( not only in a test environment), but in each organization, it should be deployed on ONE machine in production first to see how it works. A test environment can never replicate real-world production conditions.
Not only that, the fix might need to be rolled out to ONE machine in production in different geographic locations (or similar) because of different conditions in those areas. This is how to prevent the BSOD fiasco that just happened. However, the clock is ticking with zero-day threats. So the IT community needs to come up with ideas and solutions on how to handle this going forward.

excellent explanation. thank you.

He is wrong. You must test before deployment, yes it will take some time, but Very basic testing would have prevented an awful lot of economic damage and medical consequences. The software may not be nominally part of a safety critical system, but large scale systems failures by their very nature have safety implications critical for society as a whole.

UAB is a powerhouse of knowledge across the realm. Excellent explanation!

Excellent explanation. Thank you!

This is a good reason to delay new updates for a week or two and make sure this won't happen to you, IF it's an option.

Please Don't let Crowdstrike Get away with this Please sue them.

Around the 5 minute mark, the claim is made about the urgency and the tempo of updates as a rationale to risk tripping a BSOD in a billion computers. That is ludicrous. It is dangerous. It is wrong.

Crowdstrike and Microsoft has been compromised.

Unix has a way to roll back any updates to prevent issues like this. Crowd strike or Microsoft needs to implement something similar. Plus testing before deployment.

Really good explanation

Where I work they try to make me say that we are undergoing updates when I am having system issues, so the old *update* excuse doesn't really math well with me, they make and update and didn't test it, thereby making a release a virus update which nukes the system. Crowdstrike it's self is just a predatory sounding name, I call wm CrowdSTROKE.
When it happened I thought it was my computer so I just started reinstalling windows by the time I was done I found out what had happened lol.

In IT, we used to call this "patch and pray."

Possibly every agent vendor (such as Crowdstrike) needs to include a definition of what a valid, well-formed file looks like at the same time they push out the patch. So that the receiving system can identify if the patch is valid or not. I'm just brainstorming here; I don't know if this is a practical solution.
And this doesn't prevent the definition itself possibly having errors, but we're getting into rare scenarios here. The overall lesson: make sure there are NO errors in your file before you push it.

What went wrong was that Crowdstrick did not adaquately test in limited mode.

Testing would have prevented this.

No testing?

so your supporting patching without testing in order to protect. right

Hello, what’s difference between Crowdstrike and Palo Alto Network Protection?

yes its takes few min to fix but cost ?

Didn’t crowd strike deploy this update to theirs system?

A better response to corrupted or malformed files (and other anomalies) at the low level is needed. Microsoft needs to work on this (and possibly other OS vendors as well).

Risk based testing is probably what should have been done to determine which type of tests needed to be run given the short timeframe this critical update has to be released into the field. Perhaps that was done and less weight was given to Windows 10 because it is expected to reach end of support by Oct 2025. However, Microsoft and CrowdStrike may have been unaware of the number of critical applications still running on Windows 10.

Did you just imply that crowdstrike should prioritise urgency over pre-release testing?
I so hope not!😮

What went wrong with CS process that caused this mishap?

Yesterday was a big win for CrowdStrike. Finally a virus protection program that disabled the most prolific spyware program on the internet - Microsoft Windows.
No Linux/Mac products were harmed.

Is it really true that simply removing the faulty patch would restore the machine? It's been said elsewhere that the update didn't create a restore pount.
And if course nowadays since bitlocker has been mandated on most Windows machines, just gaining access to do any repair if missing bitlocker keys may be impossible.

No long term impact, hah! We are painting ourselves into a corner with computers within side a burning house!

yes but the reason they update is to keep up with new threats so if they revert to the previous system they can exploit those vulnerabilities not yet patched? At the end He say's that this type of software needs to be pushed out without delay to avoid giving attackers a window if opportunity but before that say's there's no threat for attacks because by removing the new patch you would just revert back to the previous version.?.....also even when the OS systems are down, can't they can still target the network, map network infrastructure, identify potential entry points, and gather intel for future attacks etc?

ok test like first priority what the problem?

It's not just bad code here it's corrupted file, that opens as null in c/c++who doesn't check if a pointer is NULL before accessing it?
This is pathetic, and by the way we tested CS it's not even that better than defender, what's going on here?

It's Green Witch Mean Time... of course.

So many medical personal are doomed 😂😂😂😂

i disagree you can't test this and has to go out immediately. With the timezones assisting on this, they could have rolled out to companies in Australia first (during work hours), and do a rolling rollout. if things don't go well, roll it back immediately. Australia could be the canary.

Test, test and test.... In production! 😂 Smh 🤦🏾‍♀️ 🤷🏾‍♀️ 😒 😑

Question 1 is unnecessary

I've had black friday :) as a IT helpdesk.... and know how to solve the problem... and He is totaly right... it works that way

need to test everything what you talking about??

I do not support releasing before testing, creating that sense of urgency can only lead to disaster.

Criminal negligence.
Show the person who wrote the code.
Linux saves lives.

Microsoft Winows is sh#t.

what you talking about ? by pass test environment because you need fast? try on your own computer! try on boss comp first see what he sad!!

this comment section is biased and uninformed. disheartening from various perspectives