CrowdStrike Is Sued By Shareholders Over Huge Software Outage

Shareholders have sued CrowdStrike on Tuesday, claiming the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the global software outage earlier this month that crashed millions of computers. Reuters reports: In a proposed class action filed on Tuesday night in the Austin, Texas federal court, shareholders said they learned that CrowdStrike's assurances about its technology were materially false and misleading when a flawed software update disrupted airlines, banks, hospitals and emergency lines around the world. They said CrowdStrike's share price fell 32% over the next 12 days, wiping out $25 billion of market value, as the outage's effects became known, Chief Executive George Kurtz was called to testify to the U.S. Congress, and Delta Air Lines reportedly hired prominent lawyer David Boies to seek damages.

The complaint cites statements including from a March 5 conference call where Kurtz characterized CrowdStrike's software as "validated, tested and certified." The lawsuit led by the Plymouth County Retirement Association of Plymouth, Massachusetts, seeks unspecified damages for holders of CrowdStrike Class A shares between Nov. 29, 2023 and July 29, 2024. Further reading: Delta CEO Says CrowdStrike-Microsoft Outage Cost the Airline $500 Million

HAHA I love it.

[olsmeister]

You can't make the shareholders sign something that agrees to binding arbitration. Oops!

Re:HAHA I love it.

[Mr. Dollar Ton]

The question is what do the people who filed the lawsuit really expect from it.

Change of management? Pointless, they can vote management out without the litigation, theoretically.

Money? Nobody's going to give them back the momentary valuation of the company a few months ago.

Wisdom, so they don't buy into bullshit? It is the stock price fall that will teach them.

So, what's the point of a lawsuit?

Re:HAHA I love it.

[Tony Isaac]

As with most lawsuits, it's about money. They might not get back all of their investment, and they aren't stupid enough to think they will. But if the company crashes and burns, they want to be at the front of the line of all the creditors trying to get their little piece of the pie.

Re:HAHA I love it.

[Zocalo]

They're shareholders, which means they're right at the back of the queue for any asset recovery if the company implodes. That they're trying to jump the queue, and potentially completely crash a company already on the ropes in the process, tells you all you need to know about what they think about the company's long term prospects.

It probably won't work - if this, and/or the Delta suit, shows any signs of actually resulting in sizeable damages, you can pretty much guarantee the execs will strip as much from the company as they can, file for Chapter 11, then rapidly transition into Chapter 7 leaving Delta and the shareholders holding a bag of self-inflicted legal fees.

Re:

[AmiMoJo]

Exactly. They can see that Crowdstrike is probably about to be bankrupted by liabilities arising from this debacle, and want to minimize their losses.

Re:

[thegarbz]

Yeah but that is non-sequitur thinking. Unless they are going to sink the company than any money they get as a payout here will come out of their future EPS. If the lawsuit sinks the company then their share price will be even more depressed and they will be lining up for a smaller handout than the current value.

Never in the history of shareholder class action suits have shareholders ever come out on top, even when they win.

Re:

[Tony Isaac]

These suers think the company is already sunk, it's just happening in slow motion. Once you've made up your mind that the company can't recover, you no longer care about future EPS.

Re:

[jonbryce]

They won't get any of the money back, because any payout is going to depress the share value by the same amount. They are essentially suing themselves.

Re:

[Tony Isaac]

You're probably right that they won't get what they hope for. And the payout might depress share value, but it's not a zero-sum game. There's no direct correlation between the payout amount, and the share value.

These shareholders believe that the company is going down, and they're just looking to get any little scraps of what's left that they can.

Re:

[jonbryce]

There's a perfect correlation.
However:
There are other factors that also affect the share price, and those change all the time, so it can be difficult to separate those out.
The current share price will reflect the expected pay-out, and the share price movement on judgement / settlement will refect the difference between expected and actual payout, as well as the other unrelated factors outlined above.

Personally, I'm giving it a target price of $0. Maybe it will end up being higher than that, but that's a ris

Re:HAHA I love it.

[Tony Isaac]

As GameStop illustrated, there is no correlation between share price and actual business performance or revenues or net income or any other business metric. Share price is *only* a function of supply and demand...for shares. Of course, demand could be affected by a payout, but not directly.

Re:

[niftydude]

The point of most lawsuits is to make the lawyers richer.

As you implied, if the shareholders manage to extract any compensation of the company via a lawsuit, then value of their shareholdings will drop by the amount of the compensation they extracted.

And the compensation shareholders actually receive will be decreased by a significant amount of lawyer fees.

Lose-lose for both company and shareholders. Win-win for both prosecuting and defence lawyers.

Re:

[Zocalo]

The question is what do the people who filed the lawsuit really expect from it./

It'll be a class action, I assume? If they're lucky they'll get a $10 voucher for a cup of coffee while their lawyers make bank.

Re:

[Alumoi]

More money for the lawyers.

Re:

[GrumpySteen]

You're assigning them a level of intelligence and logic that they do not possess. The goal is as it always is with investors; immediate returns instead of long term stability and growth. They don't care about getting $20 next week if they can get $10 by bankrupting the company today.

Results.

[Compaq Disk Rereader]

The question is what do the people who filed the lawsuit really expect from it.

I don't know what those idiots want but the result will be fear.
Executives are generally pretty cowardly and quick to excuses and easy fixes.
"Oh i have no choice but to be evil and make shitty products... fiduciary duty!"

Last year Okta got hacked and reacted to the drop in share price by announcing layoffs. It worked!
Maybe these guys will be afraid of doing a shitty job if the whole thing implodes leaving a crater.

Re:

[laughingskeptic]

Easy: The purpose of the lawsuit is to make the attorney that filed it rich. Like any other class action lawsuit, only the attorneys actually make money -- everyone else gets a coupon.

Re:

[gweihir]

Nice indeed.

C-Suite starts looking for an emergency exit.

[SeaFox]

"The call is coming from inside the house!"

Re:

[Tony Isaac]

They are each working on their golden parachutes that they plan to deploy when they exit.

Re:

[NoWayNoShapeNoForm]

They are each working on their golden parachutes that they plan to deploy when they exit.

CEO Kurtz did not learn from his "exploits" at McAfee, eh?

Re:

[Tony Isaac]

No, why would he? One thing that characterizes most CEOs, is a believe that they can succeed where others have failed. They think the others failed because of their inferior abilities.

Re: C-Suite starts looking for an emergency exit.

[spinitch]

Suing yourself seems odd but lawyers probably advised a way to freeze Execs from pillaging before their dismissals. Execs will try to bargain for severance and suing might help mitigate. TLDR turning into an implosion go on get your money and run.

Correction

[sonoronos]

Crowdstrike is Sued By Shareholders Over massive drop in share price.

There is a subtle difference, but a difference nonetheless.

Re:

[HiThere]

Right. They should have sued the CEO and the board.

Re:

[Tony Isaac]

Yep. As with most corporations, the engineers were told repeatedly that they had to have the software working on time and under budget, even if they had to cut corners to get there. That's totally on the executives.

I get the anger

[stabiesoft]

But not sure how this is going to help them. the company has little intrinsic value. They probably lease. so no real estate, and likely have few computers they own. It is probably rented cloud mainly. So that leaves some office equipment. Lawsuit will just speed the total collapse/bk of the company and share values will go to 0. Smart shareholders have sold already.

Re:

[Tony Isaac]

They're trying to get at the front of the line of the many creditors who will soon be coming after the company.

Re:

[quantaman]

But not sure how this is going to help them. the company has little intrinsic value. They probably lease. so no real estate, and likely have few computers they own. It is probably rented cloud mainly. So that leaves some office equipment. Lawsuit will just speed the total collapse/bk of the company and share values will go to 0. Smart shareholders have sold already.

This might be a dumb question... but doesn't the company belong to the shareholders? Aren't they suing themselves?

Maybe they could force management to do something, but wouldn't any payout they get just be paying themselves?

On paper they're worth 54 billion

[rsilvergun]

So there's a lot of potential money to get there. Now these lawsuits will likely result in a company being under capitalized and unable to maintain their software resulting in a death spiral but the investors don't care. Everybody invests in companies for short-term gains now. Nobody's thinking five let alone 10 years from now at the state of the company they just want their money right fucking now.

So yes suing them is self-destructive in one sense but none of these shareholders are planning on holding

Re:

[reanjr]

These types of suits are meant to extract any remaining value from the tiny shareholders and use it to cover the losses of the big investors who should have known better. Congress should make it illegal for shareholders to sue their companies. As the owner of the company, you're the one who's responsible.

Re:

[thegarbz]

It's a fantasy that this company is going to collapse. Reminder: They had a 50% drop in value, and that makes them... twice the size of Delta Airlines. Crowdstrike is a *huge* company, people don't seem to realise this.

However on the chance that they do collapse, being party to the lawsuit puts them at the front of the queue for recovering any assets (but as you point out, they likely have few).

Re:I get the anger

[dlarge6510]

> But not sure how this is going to help them. the company has little intrinsic value

That’s not the point.

When you allow a company to have intimate access into your networks and they fuck it up due to incompetence you expect them to be allowed to get away with it with just a slap on the hand?

Any company that has anything lost because of this will now hold Crowdstrike legally liable, as they ARE and thus, this is likely the end of Crownstrike.

My last workplace had just implemented their backdoors system into out IT systems as we thought they would be the best at preventing ransomware etc. They have full access to AD, client machines and laptops, servers, everything and their "crack team" will spent all night monitoring and analysing any problems in your event logs etc (obviously mostly automated).

One of my daily IT morning tasks was to check the Crowdstrike reports etc.

The first time we considered them I turned them down due to how uncomfortable I was with the idea they would have so much access, it literally is giving them a backdoor for every server and machine, they have AD credentials and everything!

Where I work now, the cloud is kept strictly at bay. I know that even my last place will be ditching crowdstrike the first chance they get, and they are a pub company, my brother in law still works there as the sysadmin and they were fully taken out!

I was also previously a software tester and I would have never signed off this change as I wouldn’t have passed it. I frequently find everyone from Microsoft and Apple to small development companies seem to have thrown testing, basic testing out the window. Apple allowed their SSL library in Safari to *assume invalid SSL certificates were valid* for YEARS, a DECADE. For a whole decade anyone using Safari on ANY apple device had no protection from invalid, expired or revoked SSL certificates at all, all because of a test development that commented out some code that as forgotten about.

TEN YEARS. I mean FFS, a simple REGRESSION TEST with an INVALID TEST CERT would have immediately failed! They didnt even do that! Apple! Completely incompetent and its still happening, Microsoft do it all the time.

The difference is Apple didn’t cause financial loss, just hurt their reputation a bit. Crowdstrike instead performed a Denial Of Service attack on the ENTIRE WORLD costing billions, maybe hundreds of billions of dollars’ worth of actual financial damage to thousands of companies not to mention the public. All because they didn’t test shit.

And you think nobody is going to want blood over this? Because there is not enough blood to go around? I may not have a head for business but even I will be letting the dogs loose!

It's my hope this scares everyone into actually testing stuff again. This should NEVER HAVE HAPPENED. Where was the test groups? The servers in companies asked to provide a test platform, non-critical systems used for testing other updates could have been given the chance to test this update too. That way Crowdstrike can take advantage of the huge resource of having real test systems across customers! They could have offered a discount to encourage customers to do this even.

One thing I think is certain, cowboy developers like Crowdsrtike must grow up and learn to do development correctly, but Crowdstrike itself is very likely dead in a few years.

Re:

[Penguinoflight]

The liability clauses in the UA don't undermine any of Crowdstrike or Microsoft's liability to provide reasonable care in creating their software products. The 50B company valuation is a bit deceptive because while that's their current value (down from over 70B earlier this year), they have this value against an over 400/1 PE ratio which puts that price squarely in fantasy land.

If you adjust their valuation against a more realistic PE ratio like Microsoft's at 35/1 their company is worth less than 5 Billio

Gasp!

[Akardam]

Consequences...

Re:

[gweihir]

Indeed. Way overdue.

I doubt this will succeed

[dskoll]

I have my doubts this will succeed. Crowdstrike merely has to show it was following industry practices, which as any software developer knows are atrocious. Microsoft, Google, Facebook, Amazon... they've all had costly outages caused by goofs somewhat similar to this one. They're just massive enough with a wide enough range of customers/products that the goofs didn't affect their share prices.

Anyone who invests in a software company should know that the software industry is known for these kinds of f***

Re: I doubt this will succeed

[grmoc]

Crowdstrike was not following industry standard practices. They failed in multiple basic ways in ways that the rest of the industry knows to do and does.

For instance, have QA that works.

For instance, doing dog fooding of their own product and config changes.

For instance, having a backup when things fail catastrophically multiple times in a row with no changes.

Or by not rolling out to 100% of the world all at once and instead rolling out in a staged fashion that allows you to catch problems before they affect everybody.

So, no, I don't think they're going to have that defense.

Re:

[dskoll]

Yes, everyone says they do all those things. Not everyone actually does them. And I suspect Crowdstrike would not have a difficult time coming up with examples of many other companies making equally egregious errors.

For example, today Microsoft admitted that the Azure outage happened because of a DDOS, and that their DDOS protection have a goof that made it amplify rather than mitigate the attack. This is just as much of a f***up as Crowdstrike, but nobody would think of suing MSFT over it.

Re:

[Luckyo]

Problem with this narrative is that it may work for normal everyday function.

It ceases to work the moment it hits the courts. Because the opposite side will unironically ask you during cross examination something like "so do you seriously think that it's a valid defense to commit a crime, and then defend yourself with "but all my friends committed that crime too""?

Jury will get a good chuckle if you get trial by jury, and you will lose the case then and there. Otherwise judge will get a good chuckle, and wh

Re:

[dskoll]

What crime did Crowdstrike commit? Besides, this is a civil suit.

The defense that mistakes happen, even to the best of companies, is a pretty good defense against saying that Crowdstrike committed fraud by not detailing how its QA works to shareholders.

It's possible someone at Crowdstrike committed gross negligence; I don't know. But to me, that would imply liability to Crowdstrike customers.

Re:

[gweihir]

If you systematically ignore the state-of-the art and then lie to your investors about it, that is not a "mistake".

Re:

[null etc.]

This is just business as usual in capitalism land, crazy old man.

Re:

[gweihir]

"Business as usual" requires not screwing up so massively that the morons and the sheep cannot ignore it anymore. Crowdstrike and maybe Microsoft have overdone it.

Re:

[dskoll]

Did they lie to their investors, though? Statements put out by companies to investors are typically full of weasel words, and I don't know that any technology companies detail their software development practices in investor communications.

Re:

[gweihir]

It is very hard to weasel out of not using sane practices and doing the minimum the state-of-the-art requires. More so if you provide critical software that can damage a system in the observed way. Yes, Crowdstrike and Microsoft are now putting out FUD. But no expert will be the least bit impressed.

Re:

[Luckyo]

>What crime did Crowdstrike commit?

This is a great example of "tell me you don't understand how court of law and trial by jury works, without telling me you don't understand how court of law and trial by jury works."

I told you the psychological methodology that will be deployed in court against CS. You failed to grasp this, and started asking me irrelevant questions on details of the analogy.

Notably, this is what law professors usually beat out of their students by the second year. Usually by holding moc

Re:

[dskoll]

You mentioned "crime" in the context of a civil lawsuit. So I'll take any of your pronouncements on the law with a large grain of salt.

But anyway. We'll see. My prediction is this shareholder lawsuit will not succeed; let's revisit when the dust settles.

Re:

[Tony Isaac]

There is no comparison between Microsoft's Azure outage, and CrowdStrike's.

Microsoft's outage was confined to one region. It was brought under control within a few hours. Nobody lost their servers for an entire week.

And yes, many companies, including my own, do follow these best practices. Do we have problems and weaknesses? Yes. But we certainly do NOT roll out a production release to all of our servers at once. And we certainly do have a rollback plan for every release. Of course, there are companies that

Re:

[dlarge6510]

> This is just as much of a f***up as Crowdstrike, but nobody would think of suing MSFT over it.

Yes it is, but there is a stark difference.

When you go cloud you rely on the cloud so when MS bork the cloud (which they did multiple times in my last place that migrated from on-prem to Azure) you just accept it.

You dont normally sue them as you *have no alternative*. You trashed, mothballed, skipped your on-prem systems, you ARE in the cloud. So when it fails to rain, thats seen as un-sueable as a power cut

Re:

[dskoll]

I'm not arguing with you that Crowdstrike customers have every reason to be pissed and possibly seek damages. I'm just doubtful that shareholders will have any success being awarded damages.

Re:

[gweihir]

And one more: Do not put things that are easy to crash in the kernel. Put a module that is very hard to crash in the kernel and then use that via an API from userspace. Basic privilege-separation, really. Microsoft should have done this already and then only opened the API (and use the API themselves for their AV, in order to fulfill EU antitrust requirements). Since Microsoft did not do this, Crowdstrike should have it done themselves. That they did not shows incompetent or no risk management and no clue

Re:

[nyet]

Exactly this. For some stupid reason my comment about binary parsers in ring 0 got modded down. /. is full of clueless morons these days.

Re:

[bleedingobvious]

Even simpler - don't flag it boot-start and it could prang as much as it wanted without interrupting OS boot....

Sure you'd have a broken AV *but* you'd still be able to function

Re:

[Plugh]

This should have been caught before the change was even committed to their repo, much less deployed to customers. For enterprise software a fresh-install test and an upgrade-from-supported-version test should be automatically included with any PR's quality checks.

Re:

[nyet]

No mention of putting a binary parser in ring 0?

Re:

[thegarbz]

Or by not rolling out to 100% of the world all at once and instead rolling out in a staged fashion that allows you to catch problems before they affect everybody.

Except for this one point you're spot on. The kind of update that was rolled out and broke everything is precisely the kind of update that per industry standard practice *is* rolled out world wide as quickly as possible. You don't want to be the anti-virus / network intrusion company telling your client they got hit by an actively exploited zero day because you were staging the rollout of your definitions to other customers first.

This wasn't a software update. Software updates are not rolled out this way, b

Re:

[dlarge6510]

Having once been a QA tester I find most software companies fail to do basic QA testing these days.

Microsoft do it all the time. One that I find really odd is how since windows 8.1 you can use the Settings app thing to configure the network address details of your NIC's. Only it never applies the changes. Behind the scenes the NIC is still using the old IP details. The only way to change them is to use the good old fashioned control panel. This actually causes issues today where I work as users who hav

Re:

[froggyjojodaddy]

No-ones going to talk about the real root cause. Leaders, at multiple levels, who scoff at QA because, "We need more SVPS. We don't need more QA"

Why Crowdstrike will likely win

[DeplorableCodeMonkey]

What brought down Crowdstrike wasn't a code update, it was an update to the configuration. This was equivalent to an anti-virus package having a bad update to its definition data that caused a previously unidentified issue to surface.

The plaintiffs are going to have a fairly high burden to prove that Crowdstrike was concealing something rather than simply screwed up due to human error in a particular update given how often Crowdstrike updates and it goes well.

Crowdstrike should have to make restitution to some of their clients, but I doubt the shareholders have a strong position with these arguments.

Re:

[pauljlucas]

What brought down Crowdstrike wasn't a code update, it was an update to the configuration.

True, but CrowdStrike's driver software apparently does no validation on the update files. Always, always validate input. Shipping an update containing all zeros is a mistake; not validating it is a design flaw. It's a rookie-level blunder.

Whether it has any bearing on the lawsuit, who knows?

Re:

[Njovich]

They claim that the files were not zeroes but the all zeroes are written by Windows: https://www.crowdstrike.com/bl... [crowdstrike.com]

Re: Why Crowdstrike will likely win

[grmoc]

Well, in that case I would expect that their software should do a basic config validation and reject things that may otherwise cause computers to become inoperative entirely.

Certainly, when I was writing mission critical software in the past, that is what we did as standard practice.

Re:

[gweihir]

Indeed. No input validation, not professional software. Period.

Re:

[nyet]

I don't get why more folks aren't talking about this. Just look at the other comments. It's all clueless idiocy that is missing the point. This is a fundamental design problem that lies squarely on the idiot naive windows devs who don't know how any of this should work. Crowdstrike is demonstrably hiring idiots, or has idiots doing the design work. For a "security" company this is beyond inexcusable.

Re:

[F.Ultra]

Sorry but you cannot be this dense. We have the input of a config file with bad data in it and the outcome of a BSOD, no one needs to see the code to understand that this was a fault with input validation.

Re:

[thegarbz]

You have a causality problem here. It's not a case of validating the zero input, to prevent a crash. The crash in this case resulted in a file which had a zeros. There was a different underlying issue.

Re:

[pauljlucas]

It doesn't matter how the zeros got there. They should still validate the file before using it.

Re:

[drinkypoo]

It matters, but not to Cloudstrike.

It matters to Microsoft.

Re:

[nyet]

Not only should they validate the binary blob data before parsing it... how about don't parse/validate it in ring 0? Completely moronic rookie windows developer mistake.

Re:

[jenningsthecat]

They claim that the files were not zeroes but the all zeroes are written by Windows: https://www.crowdstrike.com/bl... [crowdstrike.com]

That then leaves them with the task of explaining why the customers' Windows installs corrupted the files, but CrowdStrike's Windows installs on their test computers DIDN'T corrupt the files. Oops, THAT'S an embarrassing conversation!

I'm simply amazed that this apparent complete failure to perform a limited live test before pushing the update out to the whole world is getting so little coverage in the mainstream media. It's the very first thing mentioned on most tech forums.

Re:

[gweihir]

Soo, they claim they push updates without signatures (or even simple checksums) or validation of those before the file is used?? It gets worse and worse!

It also seems they are unaware how to flush a file to disk or that you need to do that if you depend on it being in disk, say, for a successful reboot?

Seems to be gross incompetence at work.

Re:Why Crowdstrike will likely win

[nyet]

Gross incompetence indeed. And a reminder: Crowdstrike is arguably in the *security* business. How is this ok?

Re:

[serafean]

> Although many of us have experienced this scenario when forcibly removing external media, the same can happen with internal media when it too is “forcibly removed” — as in the case of a so-called “blue screen of death” (BSOD). In such a situation, it’s possible for the file system and storage driver’s flushing code not to have run (and in some cases, the hard drive can have its own firmware-based delayed write mechanism), such that no bytes will ever make it to

Re:

[Wolfling1]

This. Those of us who remember Y2K recall how the level of expertise in verification and validation was superb. Then, the 'clever' executives retrenched everyone afterwards and the general levels of expertise in the industry have been declining ever since.

We've been bumping along the bottom for so long, this was destined to happen sooner or later.

The lawsuit should be about setting a precendent of accountability on the executives who cause these kinds of disasters. And yes, I'm looking at you George

Re:

[nyet]

No, what brought down Crowdstrike was the moron who decided parsing a binary blob in ring0 was a good idea.

Re:

[Tony Isaac]

Huh? What does "parsing a binary blob" have to do with anything? There's nothing especially risky about storing configuration in a binary format.

The bad idea was not using green-blue deployment for this configuration file. Rolling out the deployment (of the data file) would have caught the problem early, and minimized the damage.

Re:

[nyet]

That green/blue stuff is a backstop that shouldn't be required at all. It's a last resort. Your primary resource is *proper design* which Crowdstrike utterly failed to do, for a company who got permission from MS to muck around in ring 0.

Re:

[Tony Isaac]

Only an arrogant or incompetent developer or team would consider green/blue deployment "optional" if they do large-scale deployments. Even the very best practices sometimes miss something. Every robust system includes risk mitigation, and the more robust the system, the more risk mitigation is considered.

You didn't explain how "parsing a binary blob" is especially risky.

Re:

[F.Ultra]

not at all, text files are also binary files that needs to be parsed. There is nothing sacred with "text" that makes it in any way shape or form less error prone to parsing problems. Just check the long history of e.g Sendmail issues that all are down to parsing of a config in text format.

Re:

[Entrope]

Is "parsing a binary blob in ring0" better than "parsing a XML file in ring0"? I think the dumb design choices were having a *complex* parser in the kernel and not having some integrity check before trying to parse the file.

Re: Why Crowdstrike will likely win

[sectokia]

I think you are missing the point. It donâ(TM)t matter when the bad code went in. Infact itâ(TM)s worse that they added code they obviously never tested, and then didnâ(TM)t use it until much later. Not only that, but even the most basic proofing tools are able to find the bug - even without bringing given the source code. Which means they are extremely lazy and not even doing the basics required for a normal signed driver by microsoft

Re:

[khchung]

What brought down Crowdstrike wasn't a code update, it was an update to the configuration.

I see, you are one of those guys who thought changing config/data doesn't need testing.

When you work with mission critical systems, updating ANYTHING should be tested, no matter if it is just to flip a bit from 0 to 1. How could you know your program won't choke on the changed data and then crash and burn, which was exactly what happened with CrowdStrike?

When the update BSOD every Windows machine immediately, it showed that CrowdStrike had not done ANY testing before pushing it out. I would say NO TESTING

Re:

[gweihir]

When you work with mission critical systems, updating ANYTHING must be tested

Fixed that for you...

Completely missing the point

[DeplorableCodeMonkey]

I see, you are one of those guys who thought changing config/data doesn't need testing.

I never said that, and I can see you are one of those nerds who has no idea how law and legal proceedings work.

The plaintiffs are making a few assertions:

1. The code is untested/improperly tested.
2. A code update brought down the system.
3. Crowdstrike actively concealed the poor to non-existent quality of their code testing.

Let's break it down now...

1. There is ample evidence that the code itself was tested and certified

Re:

[Martin S.]

Bad data should never cause a critical failure.
Verification and validation code is as old as programming.

Funny

[anoncoward69]

Isn't this just the shareholders suing themselves? I mean I guess if they already sold all their holdings then it's not, but if they sold their holdings already it means their loss is permanent where as the stock might have recovered in time. If they are still holding the stock and get a successful judgement, wouldn't this just make the stock plummet in value even more?

Re:

[Tony Isaac]

They're looking for cash, not stock value. They've clearly given up on the stock earning them anything. They're just trying to cut their losses.

LOL

[nyet]

Lets parse a binary blob in ring 0.

What could possibly go wrong.

want the inside story

[awwshit]

I'd love to hear the inside story of the Crowdstrike debacle. The best lessons are in the individual stories of the people directly involved in the release.

Re:

[nyet]

What else is there to know? Some moron decided parsing unvalidated data in ring0 was a good idea.

Dude should be criminally prosecuted.

So i would like to know *who made that deliberate design decision*.

Their swag store sells whiskey flasks

[Plugh]

h/t to the Security Now! podcast [twit.tv] for pointing out that Crowdstrike actually has a pretty cool Swag store [crowdstrikeswag.com].

h/t to me for noticing that they sell branded hip flasks [crowdstrikeswag.com].
Because nothing says you need portable distilled alcohol more than Crowdstrike!

Indian proverb:

[Max_W]

"In a village where people are healthy the doctor is poor."

So why would anyone want to buy a security software, if everything works fine?

Perhaps, they hoped it would be attributed to some hackers as usually, but encountered an honest engineer who understood the problem and reported it correctly. I cannot believe that they released update worldwide without testing it on some lab computers.

Do not discount the "intentional" possibility

[Laxator2]

Did anyone check the trend of the CrowdStrike stock price over the last year ?
https://finance.yahoo.com/quot... [yahoo.com]
It went from 150$/share on 31st of July 2023 to 390$/share on July 1st 2024. More than doubled. Such stock is ripe for short-selling, and we should not discount the possibility of someone shorting their stock and the working with an insider to cause this problem, leading to a drop in the stock price.
The shareholders may not be technically clued-in, but they are fully aware of such tricks to profit

Re:

[F.Ultra]

The share did that increase because the company:s profits increased greatly in that time frame, their net profit per quarter went from $0.5M to $43M between those two dates.

They can just bribe "SCOTUS" to rule them immune.

[Eunomion]

Under the legal precedent known as "we say so," which they've been using a lot lately.

Own goal

[felixrising]

Seems like an obvious own goal. Not that smart, just greedy.

Dumbest thing I've ever heard

[CEC-P]

"We lost money and we're mad...umm, wait, no, I mean you didn't disclose that you're a bunch of idiots! We all know you have to legally disclose if you're a bunch of incompetent morons" - clueless Wall Street people.

The CEO and founder did THE EXACT SAME THING in 2010 when he was CTO of McAfee and it bankrupted their company until Intel bought it. What more of a warning do you need?

Imagine the outcome.

[John Allsup]

Shareholders sue Crowdstrike. Shareholders win. Crowdstrike owes them millions that it doesn't have. Crowdstrike goes bankrupt. Shareholders shares lose all their value. Wonderful victory.

Re:

[F.Ultra]

what they are valued at says nothing about their capacity to pay out. Their value is just that, a valuation done by the participants at the share market. Now they have a net profit of $42M last quarter and some $7bn in assets so they should have no problem with some pay out, only mentioning that their market cap is no indication.