CrowdStrike update blunder may cost world billions – and insurance ain't covering it all The cost of CrowdStrike's apocalyptic Falcon update that brought down millions of Windows computers last week may be in the billions of dollars, and insurance isn't covering most of that. That's according to cloud monitoring and insurance biz Parametrix, which this week claimed that US Fortune 500 companies – of which around a …
A lot of companies will claim that they were only using CrowdStrike because of insurance policies where CrowdStrike was one of the very few to tick a specific checkbox, placing the blame for it squarely with the insurance companies.
And as always, the only ones that profit from it will be the lawyers.
"And as always, the only ones that profit from it will be the lawyers."
Oh, I dunno. Word on the street is that this has been the last straw for some companies. There will probably be a lot of work for enterprising folks who have the capability of migrating existing systems away from Microsoft's perpetually insecure methodology.
There will be a lot of money in it for some people, I'm sure.
Oh, I dunno. Word on the street is that this has been the last straw for some companies. There will probably be a lot of work for enterprising folks who have the capability of migrating existing systems away from Microsoft's perpetually insecure methodology.
Come back in a month or two and let us know how many of those on the street managed to successfully migrate away.. I am sure that it will add up to a very small, truly insignificant number.
Unless of course those on the street can actually provide more evidence than just word on the street.
"I am sure that it will add up to a very small, truly insignificant number."
A few years ago, the place I work ditched Windows for Linux. For the average admin stuff, it was fine. But for the production stuff and stock control, it was a nightmare. The company is used to being able to throw some money at a company to get software modified to fit how things need to be done (we're talking for end to end traceability for everything; to take stock held here and check it out at head office without losing anything). The Linux world doesn't think like that, and it was helpfully pointed out that the source code is available so it can be endlessly customised. We're not an IT place, we're a factory.
They found a stock control provider who was more than willing to come and look at what we were doing and why, and promise a compatible system in two weeks, along with a couple of months shadowing in case anything needs tweaked, and full training thrown in. I'm sure it cost a pretty penny, but the company needed the stock control system. In that two week period, Linux was entirely erased and we went back to Windows.
The Windows world may suck donkey balls, but it's what business works with and until players on Linux get serious about what companies actually need (the fix it yourself attitude is a massive red flag to corporate non nerds), many will stay with Windows.
ERP systems in particular can be hosted on Linux and there are plenty of options. The problems start if you want it to be free… in which case there is all the open source you can eat but you'll choke to death on it.
But, really, for hosting most servers, unix is by far the better option: it is cheaper to install and keep up to date and allows better separation of systems so that if one does go down the effects are limited. Patch management on unix systems is much much better than Windows, even though I think RHEL is a fraud and you generally use fewer resources. I weep when I see the bill for keeping our Windows VMs up to date every month or what it costs in terms of RAM just to spin up a new SQL-server.
Migration strategies should be thought out and incremental: start with the low-hanging fruit such as file-server and databases and work your way up. In many cases the same product exists for multiple platforms and there are support contracts for key systems. It will take more thought and more work when it comes to moving products say MS Exchange and VM Ware, but there are alternatives out there that won't break the client experience.
We haven't seen it much, yet, but no doubt we'll start seeing reports in management magazines about the "long-tail risk" of moving someone's cloud.
The Linux world doesn't think like that
More properly the free (libre) open source software world.
Enterprises, even extremely large ones, are content to pay Microsoft zillion$ for the privilege of sucking Microsoft's donkey's balls yet baulk at paying developers mouse money to maintain that developer's FOSS components which the enterprise uses.
Change is hard. Real persistent change is incremental and slow. Any change must overcome a resource barrier or barriers (Activation energy.)
Without long term commitment and planning, without sufficient resources any such transition is doomed to fail.
Paying developers to modify and customise FOSS applications while respecting the software's licensing is never going to fly in North American corporate culture but perhaps possible elsewhere.
Something that surprises me is that when an organisation embraces an "enterprise solution" they invariably modify or replace their business processes to fit the requirements of the software but when a FOSS solution is contemplated any examination let alone modification of existing processes is an anathema.
In all honesty I think the Redmond donkey will have its testicles sucked for decades to come so it's fortunate they are a long live species - the taste of dead donkey's balls is a whole new level.
Looks like the switch didn't go as smoothly as planned, huh? It seems like the decision to go with "it's free" as the main selling point might have skipped a few crucial steps.
A thorough due diligence process probably would have flagged potential issues and shown that simply "ditching" your current setup wasn't the best move.
Your conclusions also seem to rely on some outdated notions of what "Linux" actually is today. But hey, at least a solution was found—just maybe not in the most efficient way.
Virtually every inventory control program I ever took care of in the early days ran on a mini computer, not something from Redmond. And most of those were ported to (or re-written for) UNIX-like systems by the early 1990s. Virtually every Redmond-based "solution" that I've seen have been buggy re-writes and/or direct ripoffs of that pioneering work.
To suggest that there are no un*x-based inventory control systems that work worth a shit tells me that you know very, very little about the subject.
What that fix it yourself parameter means, is that every little shop has to be entirely responsible for it's own code, and most companies need support behind them in case systems go wrong, and every company cannot afford, and might have trouble keeping, support staff with enough real talent to be in control of things. Regardless how much you pay your people there is no guarantee they will stay to support the systems they have grown to know every wrinkle of ! Every new person has to start all over again, assuming great documentation - that might be ok but for most places that is just not true ! There is a reason companies buy ready-made packages instead of writing their own !!! I'm long since retired, but my last contribution to my company was sales pull software I wrote for their numerous stores, which worked wonderfully, which was decided after examining the existing ready-made packages out there, none of which did quite what we needed ! The problem was no other programmer wanted to get involved with this system because they knew just how crucial it was to the orderly running of the company's backend systems. I put together a big online training manual & trained several people who promptly left to less stressful positions, programmers loving to code, but not loving too much responsibility for logging in at night to fix any problems ! I loved my job, loved my system (of course) which was very recoverable from almost any stage of the process, deliberately built that way, yet still others balked at learning enough to allow me to retire !. I eventually had to retire for health reasons at 72, and others HAD to get involved in spite of their reluctance. I'm sure there were a few pissed off puppies, but the company still operates & I presume they are not carting bags of print around to sort out their problems ! So, much as I loved what I produced, it is a better idea to use software packages with support where you can do that, altho you still need to train people on such packages ! .I really do not see the advantages in going with the Linux fix it yourself parameters.
Migrating away from Crowdstrike will be relatively straightforward. Will take more than two months though.
Migrating away from Windows, not so much, and wouldn't actually help you with this specific problem, because Linux suffered the same fate a couple of months back.
"Come back in a month or two and let us know how many of those on the street managed to successfully migrate away."
I started migrating Vet clinics (just one example) away from Redmond and Cupertino and onto Linux (with a pinch of BSD for larger outfits) back in late 1998, in preparation for the coming Y2K "crisis". To date, all of those that I migrated are still using Linux. So it's been over a quarter century, never mind a month or two. Here's a post I wrote on the subject half a decade ago:
https://forums.theregister.com/forum/containing/3789082
And that's just the Vet clinics. I've migrated many other companies, large and small, in the last 25 years. None were affected by this latest malware du jour, and in fact haven't seen problems with any malware. Probably because they don't depend on snake-oil "security" placebos solutions.
As much as I love Linux and as much as I know it's the intelligent choice when it comes to servers deep down I know that's not going to happen. Whilst IT folk are generally quite clever you can't just plonk someone down in front of a Linux server when all they have known in a working capacity is Windows. There is a huge knowledge gap. That's only the start. Then you have migration of applications. The list goes on and on and on. Having people do the migration is all well and good but who carries the torch once it's done? Some companies may start to give it a long hard look and ask the question but when you get to the answer there is a cost involved and that cost only offers the benefit of avoiding the next windows issue but it also doesn't protect you from the next Linux issue because you are now on Linux (and yes there are the occasional blips). Given all that it's unlikely many will switch but what they will do is maybe look at procedures to try and mitigate the next windows problem.
Linux (in the form of RHEL, among others) has been popular in certain segments for long enough that there's actually a reasonable size pool of talent out there. If your IT staff aren't au fait with Linux, and aren't prepared to learn, you can get new staff.
Have people still not understood that CrowdStrike hit Linux servers in April. The only reason it did not cause meltdown is that the installed base is so low.
With this issue if you replace all the Windows severs with Linux then they will still have CrowdStrike on.
«Have people still not understood that CrowdStrike hit Linux servers in April. The only reason it did not cause meltdown is that the installed base is so low.
With this issue if you replace all the Windows severs with Linux then they will still have CrowdStrike on. »
Perhaps not.
Often the only reason an organisation has crowdstrike falcon and/or mandiant fireeye etc installed on their non windows servers (linux, unix) is this <sarc>wonderful</sarc> software was installed on all the windows boxes by a horde of security consultants and outsourcers and when they have moved on to pillage elsewhere the remaining laggards now employees want their "single plane of glass" to include the non windows systems.
One positive outcome is insurers will refuse to pay claims, or do and massively increase future premiums - either way organisations will be motivated to do a cost/benefit analysis (and hazard/risk analysis) to determine whether they are handing over their cold hard for SFA Insurance (FAI was already used in AU.)
The Crowdstrike Linux failure only applied to Falcon running in kernel mode, not Falcon using eBPF.
eBPF is certainly not perfect — there have been a number of issues with it, such as CVE-2021-3490 — but overall it's a safer model for this sort of thing.
Unless and until Crowdstrike moves to a better architecture for Falcon on Windows (moving the rules engine into userspace, using ETW for monitoring and the driver only for blocking, whatever), Linux is probably safer.
Arguably a bigger problem is the cozy relationship between Crowdstrike and regulators/auditors, which has become a moat for Crowdstrike and an impediment to using alternatives.
They will either greatly raise the rates of policies that include such coverage, or specifically exclude such events from coverage.
The risk of something like this has been more theoretical in the past, so it is hard for insurers to model. It is easier to insure stuff like fires or floods, the risks are known, future risks can (mostly) be calculated, and mitigation strategies exist for them.
The risk of this wasn't known because it had never happened before on such a scale, it remains difficult to calculate future risk but they sure will consider it a hell of a lot more likely than they did last month, and there aren't mitigation strategies those afflicted last week or potentially affected in the future can use to reduce their risk by all that much.
Given that the insurers are a very large part of why this caused so much chaos maybe they should also be in the firing line for legal action.
They bought into the shite that somehow installing an ephemeral cloud product with no track record but sharp salespeople was the way forward.
Nothing of the sort. That attempt at analogy isn't even in the same galaxy, let alone ballpark.
A better one might be that the insurance company insisted they pay a consultant to come and cut open the boiler every week looking for limescale, the consultant couldn't weld for toffee and the boiler exploded.
Did insurers do this directly? Or did they simply say "you get a discount on premiums if you have ISO 27001 [for example] compliance", and then the ISO 27001 auditors come in and say "we have a template we can use for this part of the audit if you use Crowdstrike, and that saves us X days and you $Y"?
From what I've seen (which I admit is very much anecdotal), there's a sort of partly-accidental regulatory capture here, which Crowdstrike encouraged but certainly didn't have full control over. Basically they saw an opportunity to get the insurers and auditors to sell their product for them, by having it indirectly reduce costs.
Really? Are you really comparing this to Y2K?
Y2K was a coordinated meticulous effort to prevent a global fallover due to outdated calendar handling, and was a non-event due to to everyone doing their jobs.
This was (and continues to be) a complete shitshow by cowboys that wouldn't know defensive coding or professional procedures if it hit them in the face.
Parametrix and CyberCube also seem to be completely ignoring the medical sector that took a big hit.
If we did Y2K as Agile, we would still be fixing it in 2038.
More seriously - Y2K ticked lots of boxes where Agile (at least as it was taught back then - I remember researching Agile (DSDM in this case) at the same time as working with the Y2K Remediation Team) was discouraged: Politically sensitive, financially sensitive, fixed timescale and safety critical.
Of course, these days nearly all the Agile training simply assumes that Agile can be bashed in anywhere - I have only seen one or two places where, very late in the training, they briefly admit that Agile isn't always the best choice.
We'll likely get a chance to find out in about 14 years time, with the 2038 problem (32-bit unix timestamps will overflow, potentially leading to a number of tools thinking it's 1970). Whilst the current kernel uses 64-bits now, there are bound to be a huge number of both old systems and applications still using 32-bit...
"and was a non-event due to to everyone doing their jobs."
Exactly! Another article on the BBC just today indicating that Y2K was an unnecessary panic because nothing really bad happened... Too stupid, too young or both, to appreciate all the work we programmers did for years at the end of the 20th century.
I assume it was this one, somehow it manages to blame "shortsighted engineers" for using two-digit years but not mention all the work done to fix software, giving the impression there was a bunch of prophecies foretelling the end of the world but only a few things broke in the end. Jesus effing Christ...
I've never understood widely-held idea in US software circles which consists of the CEO wiping their arse on a piece of paper and calling it an EULA or T&Cs and this apparently makes the seller or service provider invulnerable to their customers. I suspect we're about to find out it's not true.
I've never understood widely-held idea in US software circles which consists of the CEO wiping their arse on a piece of paper and calling it an EULA or T&Cs and this apparently makes the seller or service provider invulnerable to their customers. I suspect we're about to find out it's not true.
It doesn't always provide invulnerability, as my favorite copyright attorney explains in this video-
https://www.youtube.com/watch?v=byZHIoqi8oo
Where he goes through the T&Cs and points out that although they attempt to immunise themselves against any liability, they can't avoid some. So points out that negligence and gross negligence statutes still apply. Then goes through some existing case law where companies have been found liable, even though their terms attempted to avoid that liability. So basically it might be proven that ClownsTrike were grossly negligent by not testing the update before pushing it to their customers.
He also points out that the T&Cs may not apply to some customers. This is something I've dealt with in previous projects. Most standard T&Cs are essentially worthless and don't warrant that the product or service will work. No sane customer would agree to those terms, but the balance of power is very lopsided, ie an SME would probably have to just take it or leave it. Large customers have more power.
So ClownsTrike may be part of a bid/RFP for services. The bid document would set out specifications, and the bidders would have to be compliant or non-compliant with each requirement. If ClownStrike responds to a bid, that would form a contract and their standard T&Cs may not apply. Bidders generally want the client to accept T&Cs because that's just a lot easier. But on large bids, you go through the responses with internal/external counsel to look for stuff like this. Then it can get interesting, ie the bidder may refuse to vary their standard terms, or bid 'fully compliant' and then just accept their may be an SLA violation and eat the loss. Trickiest one is if the client demands consequential losses, which is then trying to negotiate that away, or insure those losses and limit liability to $X million etc. But that then means negotiating with insurers, who'll obviously want to understand the risk profile.
And negligence still generally trumps all of that. But given the extent of the outages, losses and publicity, I expect lawyers will be salivating over the opportunity to try for negligence, either in individual cases or as a class action.
I've never understood widely-held idea in US software circles which consists of the CEO wiping their arse on a piece of paper and calling it an EULA or T&Cs and this apparently makes the seller or service provider invulnerable to their customers.
Perhaps because historically, in practice, it generally has?
IT firms, and particularly ISVs, have gotten away with selling abysmally poor products for decades. I know there's a strong inclination to believe this time will be different, but frankly I don't think that's very probable.
A lot of those only apply to consumers though.
However, there is a fundamental part of all contract law that the product or service will be provided to a 'reasonable standard'.
Enforcing that is usually difficult - A while back I discovered Haart estate agents had left a tenant in the literal dark for two years, and didn't bother telling me that one of them died three years prior. I was advised that the best option was simply immediate termination, getting a refund or compensation would likely cost more in legal and court fees than money returned.
However, in this case the negligence is so heinous and infamous that the only barrier is making sure you start the action soon enough that CrowdStrike still exist by the time you can enforce the judgement.
... and this is why we need to think about accountability and safety within the IT delivery chain - not only the food industry...
And I have always wondered about those EULAs, basically saying that the manufacturer is not even sure if the software is fit for its intended use. Sure, if it is my home hobby piece of what I could generously call software that is written for my use, and maybe a mate can use it, and I cannot be arsed to really test it that is basically ok. On the other end are big software houses that earn millions during the time it takes to write this comment. They sell their product for a certain use, and need to make sure it can be used for this purpose.
If I design a car shaped object and drive on my own land and break my neck nobody cares. If I want to drive it on a public road it needs to get certified. If a big company sells a car for use on public roads and the car is unsafe, they are held liable (well... in theory they should be, and could be, and... yeah).
People have been arguing that software developers (individuals and/or corporations) should have to accept some measure of liability for pretty much as long as software has existed. Just as they've been arguing for professional standards and licensing, and various other forms of regulatory restraint on this very chaotic and undisciplined industry. A tremendous amount of ink and pontification have been spent on the topic, and little or nothing has happened yet. I'm not holding my breath.
(And, yeah, if the software development industry were suddenly regulated I'd be affected, and I'd probably bitch about a lot of it, at least quietly and to myself. And, yes, there are many problems with existing liability and licensing regimes, as any licensed professional can attest. Professionalization has not cured us of bad lawyers, doctors, or engineers. But software is an utter fucking disaster, and professionalization / assumption of liability might help somewhat.)
I think that's wildly optimistic. Tech firms are almost never held to account.
As Schneier and Raghavan put it recently:
The market rewards short-term profit-maximizing systems, and doesn’t sufficiently penalize such companies for the impact their mistakes can have. (Stock prices depress only temporarily. Regulatory penalties are minor. Class-action lawsuits settle. Insurance blunts financial losses.)
We've already seen that the stock market isn't particularly worried. Crowdstrike's price is still well above any pre-December-2023 value except for a brief spike in 2021. They're doing just fine at the moment.
We'll see what happens over the next several months, but my guess is that a lot of the big customers will consult with their legal teams and decide a lawsuit, even a class action (and note class actions rarely benefit the plaintiffs; they're usually useful only for punishing defendants, and corporations aren't motivated by revenge), would be too chancy.
Given that the CEO of CrowdStike has prior as CTO of McAfee so shows a pattern of grossly negligent behavior as a principal of a public company we are very much going into RICO territory here.
The part of RICO that put Michael Milken in jail back in the 1980's. From highest paid CEO in the US to doing time in chokey a few years later. Using the part of RICO that does not need any successful prior criminal convictions but a history of manipulating stock prices by actions both deliberate and less deliberate. RICO is a real catch all when it comes to this stuff. Its one of those "Prove You Are Innocent" areas of law once the investigation gets started.
So I think a two pronged class action / DA RICO would soon see CrowdStike Chapter 11'ed, George Kurtz in Club Fed in Paso Robles, and a lot of very unhappy VC's on Sand Hill Road. A happy ending in fact. There are many hundreds of DA's at city / county, state, and Federal levels and its just needs one to pull the trigger to put CrowdStike and Kurtz in a world of hurt.
Even better, any of these jurisdictions could appoint a special prosecutor who could RICO's Kurtz 's ass for years. Decades even. These are Ham Sandwich cases so unless the VC's backing them spend very serious money buying off the right politicians Kurtz will be found guilty and do jail time. For all the damage, misery and probably injury and deaths his greed and incompetence have caused.
Could not have happened to nicer people.
Given that the CEO of CrowdStike has prior as CTO of McAfee so shows a pattern of grossly negligent behavior as a principal of a public company we are very much going into RICO territory here.
I doubt it, but then recent events have shown that enthusiastic DAs that want to make a name for themselves have been testing the boundaries of the law. But it might be possible that given the publicity and damage, one could try for criminal negligence.
These are Ham Sandwich cases so unless the VC's backing them spend very serious money buying off the right politicians Kurtz will be found guilty and do jail time.
The fix may already be in on that one. ClownsTrike ran interference over Hilary Clinton's 'hacking', then the DNC 'hack' with Guccifer2.0 and the RussiaGate meme. Which also involves dear'ol Assange, who claimed Russia wasn't involved and he knew whodunnit. It would be interesting to re-examine that story, and find out what really happened.. But not talking about it may have been part of Assange's plea deal. Personally, I suspect that given the controversy around the way the DNC nobbled Bernie Sanders campaign, that was a leak rather than a hack. But that was also the subject of a lot of conspiracy theories, eg the unsolved murder of Seth Rich.
Actually the RICO case-law I was referring to was very well established by the 1980's when the Milliken case went through. Going back decades. And as the recent Autonomy case showed if the Fed District DA wants to get you you are screwed. Lynch only escaped as the newly appointed Fed District DA basically threw the case. With the jury quite rightly saying - you cannot be serious based on how you presented the last bit of the case and summing up your evidence. So Not Guilty. A Fed DA who wants a conviction in these cases always gets their conviction. Which sometimes leads to some very unseemly overturns on appeal later on.
CloudStrike is full of Dem Party players and "party friends". But the fix very much depends on how much of an in they have with current people on top. Upper level party politics in the Dem Party is very "Chicago". Very - "So What Have You Done For US Recently". And these party people have very short memories. If CloudStrike hasn't currently got real leverage with someone big and there is any blood in the water you can be sure they will be thrown over the side as chum faster than you can say - Have you considered putting Willie Browns law firm on retainer. They are down on The Embarcadero...
As for who did what. Based on the gossip and boasting in Moscow the last few years Hillary's Server was a GRU op and the DNC email was a FSB op. While the SF-86 catastrophic breach was nothing to do with them. It was the Chinese. The Steele Dossier was just a typical DNC op. The type of stuff that has been going on since 1798. Welcome to US politics.
As for Seth Rich. The most plausible story I've heard was that he was offed because he had leaked details about how Hillarys org was able to pull of such implausible primary results as getting over 60% of the vote in places like San Francisco even though you did not see a single Hillary sign anywhere in SF the previous six months. While it was wall to wall Bernie Bros. Everywhere in the City. Who was not even a member of the party. Just a pledge.
So just another story of "Chicago Politics". Seth spilled the beans about how the primaries were fixed. And he paid the price. It was a really neat little operation involving two sets of ballots. Quite ingenious. He was just another innocent about how the big party politics game is actually played. They play to win. It gets very down and dirty and he ended up as just the latest collateral damage of the game.
You are quoting this guy?
https://brownwhitelaw.com/kenneth-p-white/
Sorry, someone with this all over the place litigation / defense record is not exactly a reputable source of legal what's what. In fact by LA standards the guy is a really small time operator. I see zero relevant litigation / defense work when it comes to any substantive legal opinions relating to Title IX prosecutions / defense.
https://en.wikipedia.org/wiki/Racketeer_Influenced_and_Corrupt_Organizations_Act
The Milliken case I was referring to.
https://law.justia.com/cases/federal/district-courts/FSupp/759/109/1473275/
It was a really big deal in SoCal in the late 1980's / early 1990's. Milliken's offices were in Beverly Hills. Which is part of why Milliken got taken out. He was not part of the East Coast Wall St Old Boys Club. The corporate raiders his junk bonds financed really pissed off the Wall St closed-shop back then. Not that I really blamed them. The raiders were just asset strippers and they destroyed lots of great companies. Including Kodak in the long run. After a very damaging raid in the early 1990's.
There were a couple of very good books written about this case at the time. Including several that go into the legal nitty gritty. As the Fed NY Southern District DA had been so creative in how he interpreted Title IX and related statutes.
The Fed DA was some guy named Giuliani if I remember correctly. I wonder what ever happened to him.
It was a really big deal in SoCal in the late 1980's / early 1990's. Milliken's offices were in Beverly Hills. Which is part of why Milliken got taken out. He was not part of the East Coast Wall St Old Boys Club. The corporate raiders his junk bonds financed really pissed off the Wall St closed-shop back then.
I still don't think RICO would be applicable, or even necessary if you wanted to do a spot of corporate raiding and asset stripping. RICO needs some pattern of criminal behaviour, ie the predicate offences shown on the wiki page. I think that would be hard to prove. It would be much easier (probably, IANAL) to show criminal negligence given the failure to test the update, or do a staggered rollout. Or easier stil to do a civil claim because the burden of proof is lower. Criminal could involve jail time for execs, civil just a large claim for damages. If ClownStrike can't pay, that would trigger Ch.11, restructuring and the CEO & board ousted and replaced by a friendlier bunch.. which can be a legal form of corporate raiding.
It just needs a DA with an addenda to make a RICO prosecution work. As Milliken proved.
By the time I had read the first few of the books about the case that came out in the 1990's I ended up basically agreeing with Millikens position. That he did nothing wrong and the case was tissue thin. Miliken had just done his bond research and found a very creative (and totally legal) way of making high yield bonds work. At least until the next recession hit that is.
But Giuliani was going to get his prosecution come what may. And by secreting himself away on the West Coast (and not even in San Francisco) Milliken not only made lots of enemies on Wall St but more importantly, had never made any serious industry friends. Who owned him favors for the day everything might go wrong. If Milliken had done the investment banking big beasts smooching at conferences, played golf at the right golf courses on LI and Connecticut, hung out at the right country clubs, then when the Feds came a calling Milliken could have rode it out. As so many other had before. And since.
As for RICO and CrowdStrike. They are prime RICO candidates when it comes to how the law has been applied to the stock of public companies in the past. But as someone else has pointed out they have friends in high political places so that greatly reduces the RICO risk but it is not zero. Because there is no more fair weather friend than a political friend who you need to ask a big favor from.
Either way. Its break out the pop-corn time. Although given the nature of the legal system beast you might not hear any legal rumblings for years. And any legal action will proceed with the speed and sense of direction of a herd of spooked wildebeest. So no gnus is not necessary good gnus. In the short term at least.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
