this post was submitted on 20 May 2025
140 points (97.9% liked)

Sysadmin

9183 readers
209 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world
140
Delta can sue CrowdStrike over computer outage that caused 7,000 canceled flights (www.reuters.com)
submitted 1 day ago by cm0002@lemmy.world to c/sysadmin@lemmy.world
28 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Max_P@lemmy.max-p.me 20 points 23 hours ago (3 children)

unauthorized back door

Isn't autoupdating software by definition an authorized backdoor by virtue of enabling it? The whole premise of CrowdStrike is continuous updates for attacks they see in the wild on other companies' systems.

Also if anything CrowdStrike did the opposite of a backdoor since everyone needed to find their BitLocker keys to get back in and clean this mess. It locked out the front and back door.

[–] jagged_circle@feddit.nl 2 points 12 hours ago* (last edited 12 hours ago)

Yes crowd strike is a huge security risk

[–] ricecake@sh.itjust.works 16 points 22 hours ago (1 children)

There was an additional auto update function that wasn't disclosed. Delta had disabled the auto update because, like many large companies, they prefer to deploy changes incrementally so that an issue doesn't blow-up all their systems at once.

So...

Isn't autoupdating software by definition an authorized backdoor by virtue of enabling it?

Yes. Which is why they contend disabling it makes it unauthorized.

[–] SupraMario@lemmy.world 1 points 20 hours ago (1 children)

That's not how that works. CS didn't have at the time, an option to disable channel file updates. It's how their edr works. Delta's mssp or secops group, %100 knew this as it's in CS own documentation. They really don't have a foot to stand on here, but CS will pay it to make it go away.

[–] ricecake@sh.itjust.works 4 points 18 hours ago (1 children)

CS didn't have at the time, an option to disable channel file updates

Yes, that's the crux of the accusation. Given the large number of people who seemed to be under the impression that selecting a staggered release cadence would protect them from a faulty update, it's not unreasonable to think that people were caught off guard by a second autoupdate system that they couldn't configure that could also tank their system.

[–] SupraMario@lemmy.world 0 points 18 hours ago

Before this, you could throttle the rollout for channel files. You could knock it down to 1 a minute if you wanted.

Channel files were not something that CS admins didn't know about.

[–] slazer2au@lemmy.world 5 points 23 hours ago (1 children)

I wouldn't call an auto update mechanism an unauthorised backdoor, it is required behaviour for that kind of software.

[–] ricecake@sh.itjust.works 6 points 22 hours ago (1 children)

It's absolutely not required behavior! Software for servers has very different requirements from software for end users, and if you have a lot of them you also want to manage your end user machines differently.

Updates can go wrong, and if you roll out a bad update to everything at once you can crash everything and lose a lot of money. As aptly demonstrated by cloudstrike.

That's why Delta and many other companies disabled the auto update functions: so they could control the rollout cadence.
They reasonably believed that disabling autoupdates disabled them. They didn't expect a second autoupdate system that wasn't documented, wasn't controlled by the autoupdate system settings and couldn't be disabled.

[–] SupraMario@lemmy.world 1 points 20 hours ago (1 children)

It's not a second auto update. It's %100 documented in the software and you can %100 throttle it. Channel files are heavily discussed when you roll out CS.

[–] ricecake@sh.itjust.works 1 points 18 hours ago* (last edited 18 hours ago) (1 children)

https://www.crowdstrike.com/en-us/blog/falcon-content-update-preliminary-post-incident-report/

Might want to let crowdstrike know.

Rapid Response Content Deployment

Implement a staggered deployment strategy for Rapid Response Content in which updates are gradually deployed to larger portions of the sensor base, starting with a canary deployment.

Improve monitoring for both sensor and system performance, collecting feedback during Rapid Response Content deployment to guide a phased rollout.

Provide customers with greater control over the delivery of Rapid Response Content updates by allowing granular selection of when and where these updates are deployed.

Provide content update details via release notes, which customers can subscribe to.

https://www.theregister.com/2024/07/23/crowdstrike_lessons_to_learn/

Maybe you're thinking of changes that they made as a result of the incident?

[–] SupraMario@lemmy.world 1 points 18 hours ago

No channel files where %100 there. It's in the general GUI settings. You could throttle channel files. Now after this your able to do General availability, Early availability or pausing them.