Business
Column: The CrowdStrike meltdown reminds us that the hacking problem doesn't come only from outside
Just last Wednesday, I posted a column reporting how our richest corporations, through sheer miserliness and profit-seeking, left millions of Americans vulnerable to technological attacks on their privacy and welfare.
I failed to raise one important question: What if the attacks come from inside the house?
That’s exactly what happened Friday. An ineptly designed update to a program rolled out by the cybersecurity company CrowdStrike and installed automatically on users’ machines instantly crashed millions of computers running Microsoft programs and left them disabled until manual fixes could be undertaken. Some haven’t been fixed yet.
Crowdstrike seemingly borrowed Boeing’s approach to quality control.
— Business blogger Ed Zitron
The fallout reached worldwide and affected people across the modern technological landscape. Thousands of flights were canceled. Doctors couldn’t perform surgeries. Banking transactions were frozen. Emergency 911 lines went silent.
The affected computers displayed what Microsoft Windows users know as the dreaded “blue screen of death.” Typically, this is a baby-blue screen bearing the message that Microsoft’s operating system hadn’t loaded correctly and the machine should be restarted.
That didn’t work this time: The errant CrowdStrike application was burrowed so deep within the Microsoft operating system — as it’s designed to do — that every time a machine restarted, it ran into the same glitch and went dead again in an infinite doom loop.
The CrowdStrike program — irony of ironies — is an anti-hacking application that identifies hacking attempts and fights them off. In the cat-and-mouse game pitting computer users against hackers, such applications have to be updated regularly. They reside in the bowels of the operating system, because in order to be effective, they have to load before almost any other function.
In this case, a coding error in the update delivered an order to the operating system that caused the system to shut down.
That’s a simplified explanation of what happened. Now let’s look at the lessons this episode teaches us — if we’re willing to learn them.
They have to do with our complacency about our dependence on digital systems, including those distributed by developers we’ve never heard of (CrowdStrike, for instance).
What few people are aware of as they go about their lives is how much crucial digital infrastructure is based on Microsoft programs and applications, and how much of those are supplemented by third-party programs and applications.
All of this must work together to work smoothly — or to appear to work smoothly. Here and there something goes wrong, but its ramifications are sufficiently constrained that it can be rectified quickly, and even invisibly.
A great deal of it, furthermore, is automated; it’s designed to run with a minimum of human intervention. In the view of the IT departments that are expected to monitor all this, humans are perpetual money pits — they need days off, get sick, demand raises, quit and must be replaced by newbies needing training, etc., etc. By comparison, machines look like a one-time capital expense — set it and forget it, is the goal.
Microsoft is the hub of these networks because Microsoft made them its business. It created an open architecture for third-party developers to piggyback on; the fundamental idea was that by extending the system’s capabilities, those other developers made Microsoft’s central system more valuable. Microsoft either outsourced some functions to independent developers, or allowed them to design applications that competed with Microsoft’s versions — but those still were designed to work with Microsoft operability.
Among those developers is Austin, Texas-based CrowdStrike, one of countless firms offering cybersecurity services to Windows users. (Microsoft’s own cybersecurity suite is known as Defender.)
Apple computers and devices don’t have the same vulnerabilities because that company does almost all its extensions in-house, and keeps a very close eye on what it allows to interact with its software and hardware; the company doesn’t allow outside applications to interact with its operating system at the fundamental level available with Microsoft’s systems.
But Apple doesn’t have anywhere near as large a footprint in enterprise services as Microsoft. A report issued in March by the government’s Cyber Safety Review Board about a major hacking intrusion into Microsoft’s cloud system in March 2023 asserted that the company’s “ubiquitous and critical products … underpin essential services that support national security, the foundations of our economy, and public health and safety.”
Anyone living in the modern world has to confront the drawbacks of our reliance on digital technology on almost a daily basis. In prehistoric days, back when our household appliances were mechanical or electric, not electronic, a breakdown was easy to diagnose and fix — switch out a tube or tighten a screw.
When a device ceases to function today, it’s often impossible to pinpoint the fault — did my TV go bad, or did the internet go down, or was it just the channel I was watching?
Yet many of us rely on a single company for multiple services. For example, I get my home phone service, broadband internet, and television/video (broadcast and cable channels and streaming) from a single provider. I don’t have much choice, since for most of these it’s the only provider in my neighborhood. But when it goes down, everything goes down.
That provider, Spectrum, has tried to sell me on its mobile phone service too. I’ve refused, because I figure I need at least one thread of access to the outside world that isn’t dependent on its all-in-one monopoly.
Microsoft’s near-dominance of cloud computing — the ecosystem through which all those enterprise computers that went dead last week communicate with each other and with the outside world — should make all of us queasy, because the company’s cybersafety record is atrocious.
The Cyber Safety Review Board investigation concluded that the March 2023 hack occurred because “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The board mentioned, among other things, a “cascade of … avoidable errors” in the company’s cybersecurity program, its failure to detect the compromise by hackers of its own “cryptographic crown jewels,” but only acted after a customer — the U.S. State Department — discovered the incursion itself.
The board found that Microsoft’s security practices were inferior to those of “other cloud service providers.” The report mentioned Amazon, Google and Oracle as Microsoft rivals in cloud services with better security systems.
Microsoft pledged to “adopt a new culture of engineering security in our own networks” and said it had “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”
The CrowdStrike crash suggests that those efforts are still works in progress. It’s fair to say that much of the blame belongs to CrowdStrike, which allowed an update to a crucial application to be sent to users for automatic installation without doing the testing necessary to ensure that the update was operationally bulletproof.
Technology blogger Ed Zitron properly tied the disaster to the financialization of Big Business generally, in which pumping ever higher profits to shareholders becomes a higher priority than ensuring that one’s products meet quality standards.
“Crowdstrike seemingly borrowed Boeing’s approach to quality control,” Zitron wrote, “except instead of building planes where the doors fly off at the most inopportune times (specifically, when you’re cruising at 35,000ft), it released a piece of software that blew up the transportation and banking sectors, to name just a few.”
CrowdStrike Chief Executive George Kurtz moved promptly to “sincerely apologize” to all affected users, via a statement and an appearance on the NBC “Today” show. “We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority,” Kurtz said in a posting on the company’s website.
Microsoft placed the blame chiefly on CrowdStrike. “Although this was not a Microsoft incident, given it impacts our ecosystem, we want to provide an update on the steps we’ve taken with CrowdStrike and others to remediate and support our customers,” David Weston, a vice president for enterprise and security, wrote on the company’s website.
But Microsoft, plainly, failed to take on board the necessity of vetting every piece of third-party software that could have an effect on its own customers — before it blew up their computer systems.
No software system is immune from errors, especially now that they’re so complex and multilayered that not even their developers may know all their weak spots. (An error at Amazon’s cloud service incapacitated as many as 150,000 websites for several hours in February 2017 — a major problem, but not nearly on the scale of the CrowdStrike crash.)
But as these systems play an ever expanding role in modern life even as they become more complex, it’s incumbent on their providers to make security and safety their top priorities, not merely mouth the concept in marketing material without actually taking it seriously.
Cloud clients also need to pay more attention to what is getting automatically inserted into their systems. Who has the right to gloat over escaping the CrowdStrike meltdown last week? Amusingly, it’s Southwest Airlines. For decades, Southwest resisted Microsoft’s urgings that it upgrade its systems to the latest versions of Windows, relying on Windows 3.1, which is 32 years old — so antique that the CrowdStrike update wouldn’t even work on the airline’s systems.
So while affected carriers such as Delta, United and American had canceled nearly 2,400 flights by 6 p.m. Friday, Southwest had canceled three. (By midday Monday, the number of canceled flights reached beyond 12,300.) That doesn’t mean that Southwest gets everything right. After all, the airline suffered more than its competitors from the ferocious storm in December 2022 that snarled air traffic nationwide — precisely because it had not paid enough attention to keeping its computer systems updated.
In this case, however, Southwest’s cheapskate culture was its savior. That may only put it on the same level as the proverbial blind squirrel that occasionally finds a nut. But it shows that all of our Big Business squirrels need to keep their eyes open, and focused on the perils of inattention.
Business
Waymo reports teen riders for bad behavior and delivers them to the police
Robotaxis could be turning into robocops.
A self-driving Waymo reported two teens to San Mateo, Calif., police on Monday after they were found drinking alcohol and shooting toy guns in the back of the vehicle.
According to a social media post from the San Mateo Police Department, officers detained two 15-year-olds after the Waymo they were riding in contacted the department and stopped in a parking lot until law enforcement arrived.
“Parents do you know where your teens are?” the San Mateo Police Department wrote on Facebook following the incident. “Waymo does!”
Officers removed both teens from the vehicle and determined they were using toy guns to shoot Orbeez out the windows. Orbeez are small, water-absorbing beads sold at toy stores.
“Toy guns, water guns, and BB guns all pose real dangers, especially to an untrained eye,” the Police Department said. “The simple handling of them can cause fear in [passersby].” “
A video posted on Facebook shows at least five officers and a police dog responding to the scene and approaching the Waymo with their weapons raised.
Waymo did not immediately respond to a request for comment.
Waymo vehicles have internal cameras and microphones that may be used in an emergency or to “promote safety and security,” according to Waymo’s online support page.
The cameras are also used to ensure the vehicles are clean and to help find lost items, according to the support page.
The company said it does not use facial recognition or other biometric identification technologies to identify individuals.
“In more urgent circumstances, support may access live video during a trip,” the Waymo page said.
The San Mateo Police Department’s Facebook post has garnered nearly 60 comments, with one user accusing Waymo of “snitching.”
“At least they got a designated driver?!” one user commented.
Business
Commentary: How right-wing anti-transgender attacks led to a Supreme Court ruling upholding sex discrimination
At the Supreme Court, the unfounded fear of boys masquerading as girls in youth sports rolled the clock back on gender equality.
On the surface, the Supreme Court’s June 30 opinion upholding state laws barring transgender girls from women’s and girl’s sports teams looks like a victory for women’s rights.
The 6-3 opinion by Justice Brett M. Kavanaugh certainly presents itself that way. “Females and males have inherent physical differences relevant to athletic performance,” Kavanaugh wrote. “Therefore, in contact sports, forcing female athletes to compete against males can create significant safety risks.” He also asserted that “forcing female athletes to compete against males can undermine competitive fairness.”
The ruling applied to prohibitions enacted in Idaho and West Virginia against “biological” males’ participation on women’s teams in public schools. Federal judges in both states overturned the bans. The Supreme Court majority restored them. The ruling essentially upholds similar bans enacted in 25 other states.
There was no record of any transgender person participating in school sports in the State, let alone any ‘problem’ with transgender students … creating unfair competition or unsafe conditions.
— Justice Sonia Sotomayor, demolishing the Supreme Court’s argument in favor of banning transgender girls from girl’s sports
Kavanaugh, like Donald Trump and others in the anti-transgender camp, maintained that one’s gender is an immutable fact of life, established even before birth.
Anything else, Trump stated in an executive order he issued on inauguration day 2025, could only be the product of “gender ideology extremism.” The U.S., his order stated, recognizes “two sexes, male and female. These sexes are not changeable and are grounded in fundamental and incontrovertible reality.” That’s a “biological truth,” he declared.
In his own version of this overconfident and factually insupportable conclusion, Kavanaugh wrote: “As all agree, females and males have inherent physical differences relevant to athletic performance.”
Science recognizes that some people are “born with sex traits that don’t fit into typical male or female patterns,” to cite a discussion on the Cleveland Clinic web page on the topic “intersex.” The condition “may involve chromosomes, hormones, reproductive organs or genitals.”
From a psychological standpoint, medical science recognizes “gender dysphoria” as a real condition often requiring counseling and medical intervention such as the use of puberty blockers and hormones to stave off the development of secondary sex characteristics until the condition can be resolved.
No one disputes that there are physical differences between the sexes. Few would dispute that on average or even at the median, males may be bigger and more powerful than females, or that in certain contact sports the difference may be telling and on occasion dangerous.
But that’s not the same as asserting that the physical differences between males and females invariably mean that men will invariably prevail over women in all competitions or that their participation will endanger women.
The International Olympic Committee — in a policy statement Kavanaugh cited incompletely — says that in “most running and swimming events,” males have a 10% to 12% advantage over women. That’s a range that would accommodate the full spectrum of outcomes — transgender females win, cisfemales win, they tie. (The “cis” prefix denotes those living consistent with their birth gender.)
West Virginia and Idaho addressed this ambiguity by banning transgender women from all girls’ teams. So under their rules transgender girls can’t play football or soccer with cisgirls. But what’s the argument in favor of banning them from the 100-yard dash, or cross-country track, or diving, or archery?
But something else is going on here. The Supreme Court’s ruling was almost preordained, given the years-long campaign by conservatives to demonize transgender individuals as if they’re members of an alien species.
It will be recalled that during his presidential campaign, Trump spun a despicable fantasy in which children were kidnapped in school and secretly subjected to sex-change operations.
Trump’s executive order wiped out policies aimed at protecting transgender adults from discrimination. He moved to outlaw gender-affirming medical therapies for anyone under 19 by cutting off federal funding for healthcare institutions that provide such care.
He banned transgender individuals from serving in the military and ordered federal prison officials to move transgender inmates into the general populations consistent with their birth genders, which exposes them to physical assault. (Federal Judge Royce Lamberth of Washington, D.C., has blocked the government from transferring three transgender women into the male prison population or terminating their hormone treatments.)
I wrote during Trump’s first term, when his anti-transgender policies were still gestating, that the goal was to show that “one can target any community, as long as it doesn’t have a strong political voice or political power. These are the actions of bullies and cowards, pretending to be strong.”
Last year, the Supreme Court struck its first blow against transgender rights by upholding a Tennessee law banning transgender care, including puberty blockers and hormone therapy, for minors. Similar laws have been enacted in 25 other states. The majority in that ruling by Chief Justice John G. Roberts Jr. was identical to the one in the June 30 ruling — Roberts, Kavanaugh, and Justices Clarence Thomas, Samuel A. Alito Jr., Neil M. Gorsuch and Amy Coney Barrett.
Who are the targets of this ideological campaign? They number only about 1.6 million U.S. adults, or one-half of 1% of the U.S. population. About 300,000 adolescents ages 13 to 17, or 1.4%, identify as transgender, according to a study by UCLA School of Law.
In West Virginia, as Justice Sonia Sotomayor observed in her dissenting opinion, “there was no record of any transgender person participating in school sports in the State, let along any ‘problem’ with transgender students … creating unfair competition or unsafe conditions.”
In endorsing the flat bans directed at transgender women in Idaho and West Virginia, Kavanaugh argued that any attempt to implement case-by-case judgments of students’ requests to join sports teams inconsistent with their biological gender would create “an enormous practical and administrability problem.”
Is that so? That wasn’t the case in Maine, where the annual K-12 population is more than 170,000. There, a committee was charged with determining whether a student’s participation in a sport consistent with their gender identity but inconsistent with their biological sex would “result in an unfair athletic advantage” or present a risk of injury to others. The committee held 56 hearings from 2013 through 2021, or an average of seven per year. During the entire time span, only four involved transgender girls. (The outcome of those hearings couldn’t be learned.)
It was Maine’s policy, one might recall, that provoked a confrontation between Trump and Maine Gov. Janet Mills at the White House last year, when Trump threatened to withhold federal funding from the state unless it barred transgender students from competing on women’s sports teams. “We’ll see you in court,” Mills snapped.
Whether the Idaho and West Virginia laws genuinely protect girls from unfair competition is questionable. (The Idaho law is styled the “Fairness in Women’s Sports Act.”) In practice, the laws may subject women in public schools to “invasive sex verification procedures,” as educational expert George Theoharis of Syracuse University wrote after the court ruling.
They’re also based on a retrograde view of women as fragile creatures needing men’s protection, Theoharis wrote — “the same logic that has historically been used to justify excluding women from making their own healthcare decisions and girls from rigorous math and science; that physically demanding work is simply beyond them.” (There don’t appear to be any state laws barring transgender women from competing in men’s sports.)
Becky Pepper-Jackson, the plaintiff in the West Virginia case, in which she is identified only as B.P.J., is the only transgender girl who sought to join girl’s teams — track and cross-country — in the state. That was in 2021, just after West Virginia passed its law and she was about to enter sixth grade. She didn’t appear to pose any competitive risk to others on the track and cross-country teams she applied to join — her lawyers told the Supreme Court that on those no-cut teams, she “came in near the back.”
Anyway, she had not gone through male puberty, which theoretically might have endowed her with a competitive advantage, because she had been taking puberty blockers and female hormones.
Thanks to the court’s ruling, Sotomayor observed in a dissent joined by Justices Elena Kagan and Ketanji Brown Jackson, West Virginia can deny Becky access to school sports “because it thinks they have an inherent athletic advantage, even if the facts show that they do not.”
B.P.J., Sotomayor wrote, “cannot practice on girls’ teams, even if she would not take anyone’s spot in an eventual competition, even if everyone who tries out for the team makes it, and even if having the chance to participate could aid immensely in treating B. P. J.’s gender dysphoria.”
So whose interest was really protected by the Supreme Court?
Business
Orange County real estate investor pleads not guilty in $100 million bank fraud case
An Orange County real estate investor accused of criminally defrauding an Arizona bank of nearly $100 million pleaded not guilty Monday and remains in custody.
Mahender Makhijani, 44, of Corona del Mar — who also was ordered by an arbitrator to pay $1.34 billion in a separate civil fraud case — was arraigned in Santa Ana federal court on two charges.
He is accused of bank fraud and making a false statement to a bank in a June 8 case involving a $100 million real estate loan made by Phoenix-based Western Alliance Bank. He was taken into custody on June 10.
Makhijani is accused of providing bogus collateral for the October 2024 loan now in default. In a civil lawsuit, Western Alliance said the outstanding balance as nearly $99 million.
Prosecutors say he falsified title insurance policies that showed the bank would have a first lien on the underlying collateral if the loan went bad, when in fact it did not.
A trial was set for August 11 before U.S. District Judge David O. Carter in Santa Ana.
Michael Schachter, his criminal defense attorney, did not respond to messages seeking comment.
In the civil case, an arbitrator in May ordered Makhijani to pay Laguna Beach real estate mogul Mohammad Honarkar $1.34 billion after ruling he had fraudulently induced him into a 2021 joint venture — and then wrested control and lost to creditors more than two dozen properties Honarkar had owned.
Makhijani has not been criminally charged in that case, but prosecutors alleged in an affidavit in support of the bank fraud charges that he used “force and threats” in his dealings with Honarkar and others — including taking over the landmark Hotel Laguna in 2023 that Honarkar was renovating.
Prosecutors sought to hold Makhijani without bail after his arrest.
The affidavit noted he is a legal Indian immigrant with a home and bank accounts in that country, has access to private jets and threatened to “run away” if caught in a difficult situation.
The request was denied and he was granted $500,000 bail.
However, Makhijani remains in custody after a hearing sought by prosecutors last month before Magistrate Judge Autumn Spaeth.
The judge declined to accept a $450,000 cashier’s check submitted by a Makhijani associate for the bail, finding insufficient proof the source of the funds was legitimate, according to court records.
Makhijani is not prominent outside Orange County real estate circles, but he established a thriving distressed-assets business over the last decade that attracted prominent Southern California real estate investors.
Prosecutors said it paid for a lifestyle that included two multimillion-dollar homes in Corona del Mar, a luxury apartment in Newport Beach and various luxury vehicles.
As of last month, prosecutors had not fully traced his assets, which they believe are not held in his name and some of which may be in India.
The businessman employed an array of shell companies and strawmen to sign documents on his behalf, and to stand in for him as operators of his companies, according to the affidavit.
Makhijani told an associate he took extra precautions because wanted to insulate himself from litigation and that “they were sharks in the distressed world who took advantage of people,” the affidavit stated.
-
Los Angeles, Ca13 minutes agoBicyclist killed by hit-and-run driver in Long Beach
-
Detroit, MI31 minutes agoChild shot while riding bike outside home on Detroit’s west side, police say
-
San Francisco, CA43 minutes agoBay Area restaurant has strict policy on acceptable children behavior
-
Dallas, TX46 minutes agoDetroit Pistons trade Marcus Sasser to Dusty May’s Dallas Mavericks
-
Miami, FL51 minutes agoThe offseason has been a massive success for the Miami Heat
-
Boston, MA58 minutes ago
Can’t afford Boston’s priciest restaurants? Try these instead. – The Boston Globe
-
Denver, CO1 hour agoCity of Denver says images of piling waste a case of illegal dumping
-
Seattle, WA1 hour ago14-year-old dies in electric motorcycle crash at Seattle bike park