this post was submitted on 22 Jul 2024
254 points (95.0% liked)

Programming

17424 readers
38 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]



founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] -1 points 3 months ago (2 children)

Indeed, I fully agree. They obviously neglected on testing before deployment. So you can split the blame between the developer that goofed on the null pointer dereferencing and the blank null file, and the higher ups that apparently decided that proper testing before deployment wasn't necessary.

Ultimately, it still boils down to human error.

[–] [email protected] 4 points 3 months ago* (last edited 3 months ago)

Making a mistake once in a while on something one does all time is to be expected - even somebody with a 0.1% rate of mistakes will fuck up once in while if they do something with high enough frequency, especially if they're too time constrained to validate.

Making a mistake on something you do just once, such as setting up the process for pushing virus definition files to millions of computers in such a way that they're not checked inhouse before they go into Production, is a 100% rate of mistakes.

A rate of mistakes of 0.1% is generally not incompetence (dependes on how simple the process is and how much you're paying for that person's work), whilst a rate of 100% definitelly is.

The point being that those designing processes, who have lots of time to do it, check it and cross check it, and who generally only do it once per place they work (maybe twice), really have no excuse to fail the one thing they had to do with all the time in the World, whilst those who do the same thing again and again under strict time constraints definitelly have valid excuse to once in a blue moon make a mistake.

[–] [email protected] 8 points 3 months ago (1 children)

Finding people to blame is, more often than not, useless.

Systematic changes to the process might prevent it from happening again.

Replacing "guilty" people with other fallible humans won't do it.

[–] [email protected] 2 points 3 months ago (3 children)

Still, with billions of dollars in losses across the globe and all the various impacts it's having on people's lives, is nobody gonna be held accountable? Will they just end up charging CrowdStrike as a whole a measly little fine compared to the massive losses the event caused?

One of their developers goofed up pretty bad, but in a fairly simple and forgivable way. The real blame should go on the higher ups that decided that full proper testing wasn't necessary before deployment.

So yes, they really need to review their policies and procedures before pressing that deploy button.

[–] [email protected] 3 points 3 months ago

with billions of dollars in losses

But the real question we should be asking ourselves is "how much did tops saved over the course of the years without proper testing"

It probably is what they are concerned about, and I really wish I knew the answer to this question.

I think, this is absolutely not the way to do business, but maybe that's because I don't have one ¯\_(ツ)_/¯

[–] [email protected] 8 points 3 months ago* (last edited 3 months ago)

is nobody gonna be held accountable?

Likely someone will, but legal battles between companies are more about who has more money and leverage than actual accountability, so I don't see them as particularly useful for preventing incidents or for society.

The only good thing that might come out of this and is external to CrowdStrike, is regulation.