Jump to content

Talk:2024 CrowdStrike-related IT outages/Archive 4

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Archive 1Archive 2Archive 3Archive 4

Said to be

"Despite the losses companies have suffered, CrowdStrike was said to be only minimally liable for the damage or lost revenue caused"

Whether the company Crowdstrike and its staff is liable under civil or penal laws worldwide cannot be determined by a "said to be" analysis of their terms and conditions. The linked source is not authorative.

For instance in Germany Penal Code Section 303v StGB § 303b Computersabotage stipulates "(1) Anyone who significantly disrupts data processing that is of essential importance to another person by... 3. destruction, damaging, rendering unusable, removal or alteration of a data processing system or a data carrier, shall be liable to a custodial sentence not exceeding three years or to a monetary penalty."

Now, of course it is upon courts to determine how that lack of due diligence when pushing an update shall be evaluated. Rebentisch (talk) 17:29, 9 August 2024 (UTC)

Coming from a policy-analysis professional background, I would suggest that this needs to be something like "... CrowdStrike is expected to be only minimally liable for lost revenue and other damages, in most jurisdictions", if this is what is supported by the sources (i.e., if legal- and policy-competent source material is generally saying pretty much what that Wikipedia-summary version arrives at in easily-digestible form). Then cite a bunch of those sources so there is no "according to whom?" problem. The issues in the original wording are multiple: First, "was" is wrongly past-tense. Second, "said to be" implies a statement of fact (or a statement of opinion about a fact), when the fact is indeterminate (depends on legal case outcomes which will take years), and we're really dealing with a prediction, not a factual observation. Third, "damages" in the legal sense is plural, and lost revenue is a subcategory thereof, not something distinct from damages. Fourth, "caused" serves no purpose in this sentence and is just blather.  — SMcCandlish ¢ 😼  02:51, 10 August 2024 (UTC)
I rewrote that paragraph in the article to actually reflect the linked source anyway, which I think dodges the legal-wording problem. Conkaan (talk) 14:46, 12 August 2024 (UTC)
What paragraph was it? I can't find it and I'm curious to see what it says before and after. 2A04:4A43:424F:DC33:3D59:212C:8E0A:5594 (talk) 02:49, 5 September 2024 (UTC)

Analysis & Liability: New subsections on "Choice to write in C++"

Several sources have noted that this probably wouldn't have happened if the CrowdStrike module had been written in Rust instead of C++. IMO this is the most likely avenue for a legal case alleging "gross negligence" (i.e. so negligent as to negate contract terms that limit liability). Jruderman (talk) 18:43, 13 August 2024 (UTC)

If reliable sources support the proposition that the programming language chosen was a causal factor, that is appropriate for inclusion. If it is merely speculation or conjecture, such as probably wouldn’t have happened (without more), that does not appear appropriate for inclusion. Local Variable (talk) 01:42, 14 August 2024 (UTC)
... had been written in Rust instead of C++. This sounds like the memory-safe programming debate again, without it being referred to as such. Regardless, if you have sources, then please link to them. (Also, COI?) --Super Goku V (talk) 04:27, 14 August 2024 (UTC)
I assume as a former security bug hunter for Mozilla OP is partial to Rust. Local Variable (talk) 04:43, 14 August 2024 (UTC)
Ah, that would be it. I was just confused on how there could possibly be a COI if it didn't otherwise apply to the article. --Super Goku V (talk) 09:03, 14 August 2024 (UTC)

Sources for language choice issue

— Jruderman (talk) 15:28, 14 August 2024 (UTC)

This all seems to be based on the debunked analysis by Zack Vorhies, who also cited DEI as a cause of the incident in his analysis. --Ahecht (TALK
PAGE
)
16:11, 14 August 2024 (UTC)
I saw that thread at the time and became suspicion when the DEI bits appeared. Sounds like this isn't ready for inclusion until CrowdStrike release their own root-cause analysis. Jruderman (talk) 00:55, 21 August 2024 (UTC)
Yes, been debunked. It should not be included. People were racing to discuss the issue without much actual insight. Now things have settled down. 2A04:4A43:424F:DC33:3D59:212C:8E0A:5594 (talk) 02:51, 5 September 2024 (UTC)