Business
Column: The CrowdStrike meltdown reminds us that the hacking problem doesn't come only from outside
Just last Wednesday, I posted a column reporting how our richest corporations, through sheer miserliness and profit-seeking, left millions of Americans vulnerable to technological attacks on their privacy and welfare.
I failed to raise one important question: What if the attacks come from inside the house?
That’s exactly what happened Friday. An ineptly designed update to a program rolled out by the cybersecurity company CrowdStrike and installed automatically on users’ machines instantly crashed millions of computers running Microsoft programs and left them disabled until manual fixes could be undertaken. Some haven’t been fixed yet.
Crowdstrike seemingly borrowed Boeing’s approach to quality control.
— Business blogger Ed Zitron
The fallout reached worldwide and affected people across the modern technological landscape. Thousands of flights were canceled. Doctors couldn’t perform surgeries. Banking transactions were frozen. Emergency 911 lines went silent.
The affected computers displayed what Microsoft Windows users know as the dreaded “blue screen of death.” Typically, this is a baby-blue screen bearing the message that Microsoft’s operating system hadn’t loaded correctly and the machine should be restarted.
That didn’t work this time: The errant CrowdStrike application was burrowed so deep within the Microsoft operating system — as it’s designed to do — that every time a machine restarted, it ran into the same glitch and went dead again in an infinite doom loop.
The CrowdStrike program — irony of ironies — is an anti-hacking application that identifies hacking attempts and fights them off. In the cat-and-mouse game pitting computer users against hackers, such applications have to be updated regularly. They reside in the bowels of the operating system, because in order to be effective, they have to load before almost any other function.
In this case, a coding error in the update delivered an order to the operating system that caused the system to shut down.
That’s a simplified explanation of what happened. Now let’s look at the lessons this episode teaches us — if we’re willing to learn them.
They have to do with our complacency about our dependence on digital systems, including those distributed by developers we’ve never heard of (CrowdStrike, for instance).
What few people are aware of as they go about their lives is how much crucial digital infrastructure is based on Microsoft programs and applications, and how much of those are supplemented by third-party programs and applications.
All of this must work together to work smoothly — or to appear to work smoothly. Here and there something goes wrong, but its ramifications are sufficiently constrained that it can be rectified quickly, and even invisibly.
A great deal of it, furthermore, is automated; it’s designed to run with a minimum of human intervention. In the view of the IT departments that are expected to monitor all this, humans are perpetual money pits — they need days off, get sick, demand raises, quit and must be replaced by newbies needing training, etc., etc. By comparison, machines look like a one-time capital expense — set it and forget it, is the goal.
Microsoft is the hub of these networks because Microsoft made them its business. It created an open architecture for third-party developers to piggyback on; the fundamental idea was that by extending the system’s capabilities, those other developers made Microsoft’s central system more valuable. Microsoft either outsourced some functions to independent developers, or allowed them to design applications that competed with Microsoft’s versions — but those still were designed to work with Microsoft operability.
Among those developers is Austin, Texas-based CrowdStrike, one of countless firms offering cybersecurity services to Windows users. (Microsoft’s own cybersecurity suite is known as Defender.)
Apple computers and devices don’t have the same vulnerabilities because that company does almost all its extensions in-house, and keeps a very close eye on what it allows to interact with its software and hardware; the company doesn’t allow outside applications to interact with its operating system at the fundamental level available with Microsoft’s systems.
But Apple doesn’t have anywhere near as large a footprint in enterprise services as Microsoft. A report issued in March by the government’s Cyber Safety Review Board about a major hacking intrusion into Microsoft’s cloud system in March 2023 asserted that the company’s “ubiquitous and critical products … underpin essential services that support national security, the foundations of our economy, and public health and safety.”
Anyone living in the modern world has to confront the drawbacks of our reliance on digital technology on almost a daily basis. In prehistoric days, back when our household appliances were mechanical or electric, not electronic, a breakdown was easy to diagnose and fix — switch out a tube or tighten a screw.
When a device ceases to function today, it’s often impossible to pinpoint the fault — did my TV go bad, or did the internet go down, or was it just the channel I was watching?
Yet many of us rely on a single company for multiple services. For example, I get my home phone service, broadband internet, and television/video (broadcast and cable channels and streaming) from a single provider. I don’t have much choice, since for most of these it’s the only provider in my neighborhood. But when it goes down, everything goes down.
That provider, Spectrum, has tried to sell me on its mobile phone service too. I’ve refused, because I figure I need at least one thread of access to the outside world that isn’t dependent on its all-in-one monopoly.
Microsoft’s near-dominance of cloud computing — the ecosystem through which all those enterprise computers that went dead last week communicate with each other and with the outside world — should make all of us queasy, because the company’s cybersafety record is atrocious.
The Cyber Safety Review Board investigation concluded that the March 2023 hack occurred because “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The board mentioned, among other things, a “cascade of … avoidable errors” in the company’s cybersecurity program, its failure to detect the compromise by hackers of its own “cryptographic crown jewels,” but only acted after a customer — the U.S. State Department — discovered the incursion itself.
The board found that Microsoft’s security practices were inferior to those of “other cloud service providers.” The report mentioned Amazon, Google and Oracle as Microsoft rivals in cloud services with better security systems.
Microsoft pledged to “adopt a new culture of engineering security in our own networks” and said it had “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”
The CrowdStrike crash suggests that those efforts are still works in progress. It’s fair to say that much of the blame belongs to CrowdStrike, which allowed an update to a crucial application to be sent to users for automatic installation without doing the testing necessary to ensure that the update was operationally bulletproof.
Technology blogger Ed Zitron properly tied the disaster to the financialization of Big Business generally, in which pumping ever higher profits to shareholders becomes a higher priority than ensuring that one’s products meet quality standards.
“Crowdstrike seemingly borrowed Boeing’s approach to quality control,” Zitron wrote, “except instead of building planes where the doors fly off at the most inopportune times (specifically, when you’re cruising at 35,000ft), it released a piece of software that blew up the transportation and banking sectors, to name just a few.”
CrowdStrike Chief Executive George Kurtz moved promptly to “sincerely apologize” to all affected users, via a statement and an appearance on the NBC “Today” show. “We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority,” Kurtz said in a posting on the company’s website.
Microsoft placed the blame chiefly on CrowdStrike. “Although this was not a Microsoft incident, given it impacts our ecosystem, we want to provide an update on the steps we’ve taken with CrowdStrike and others to remediate and support our customers,” David Weston, a vice president for enterprise and security, wrote on the company’s website.
But Microsoft, plainly, failed to take on board the necessity of vetting every piece of third-party software that could have an effect on its own customers — before it blew up their computer systems.
No software system is immune from errors, especially now that they’re so complex and multilayered that not even their developers may know all their weak spots. (An error at Amazon’s cloud service incapacitated as many as 150,000 websites for several hours in February 2017 — a major problem, but not nearly on the scale of the CrowdStrike crash.)
But as these systems play an ever expanding role in modern life even as they become more complex, it’s incumbent on their providers to make security and safety their top priorities, not merely mouth the concept in marketing material without actually taking it seriously.
Cloud clients also need to pay more attention to what is getting automatically inserted into their systems. Who has the right to gloat over escaping the CrowdStrike meltdown last week? Amusingly, it’s Southwest Airlines. For decades, Southwest resisted Microsoft’s urgings that it upgrade its systems to the latest versions of Windows, relying on Windows 3.1, which is 32 years old — so antique that the CrowdStrike update wouldn’t even work on the airline’s systems.
So while affected carriers such as Delta, United and American had canceled nearly 2,400 flights by 6 p.m. Friday, Southwest had canceled three. (By midday Monday, the number of canceled flights reached beyond 12,300.) That doesn’t mean that Southwest gets everything right. After all, the airline suffered more than its competitors from the ferocious storm in December 2022 that snarled air traffic nationwide — precisely because it had not paid enough attention to keeping its computer systems updated.
In this case, however, Southwest’s cheapskate culture was its savior. That may only put it on the same level as the proverbial blind squirrel that occasionally finds a nut. But it shows that all of our Big Business squirrels need to keep their eyes open, and focused on the perils of inattention.
Times Insider explains who we are and what we do, and delivers behind-the-scenes insights into how our journalism comes together.
Politicians in Washington and the reporters who cover them have an often adversarial relationship.
But on the last Saturday in April, they gather for an irreverent celebration of press freedom and the First Amendment at the Washington Hilton Hotel: The White House Correspondents’ Association dinner.
Hosted by the association, an organization that helps ensure access for media outlets covering the presidency, the dinner attracts Hollywood stars; politicians from both parties; and representatives of more than 100 networks, newspapers, magazines and wire services.
While The Times will have two reporters in the ballroom covering the event, the company no longer buys seats at the party, said Richard W. Stevenson, the Washington bureau chief. The decision goes back almost two decades; the last dinner The Times attended as an organization was in 2007.
“We made a judgment back then that the event had become too celebrity-focused and was undercutting our need to demonstrate to readers that we always seek to maintain a proper distance from the people we cover, many of whom attend as guests,” he said.
It’s a decision, he added, that “we have stuck by through both Republican and Democratic administrations, although we support the work of the White House Correspondents’ Association.”
Susan Wessling, The Times’s Standards editor, said the policy is a product of the organization’s desire to maintain editorial independence.
“We don’t want to leave readers with any questions about our independence and credibility by seeming to be overly friendly with people whose words and actions we need to report on,” she said.
The celebrity mentalist Oz Pearlman is headlining the evening, in lieu of the usual comedy set by the likes of Stephen Colbert and Hasan Minhaj, but all eyes will be on President Trump, who will make his first appearance at the dinner as president.
Mr. Trump has boycotted the event since 2011, when he was the butt of punchlines delivered by President Barack Obama and the talk show host Seth Meyers mocking his hair, his reality TV show and his preoccupation with the “birther” movement.
Last month, though, Mr. Trump, who has a contentious relationship with the media, announced his intention to attend this year’s dinner, where he will speak to a room full of the same reporters he often derides as “enemies of the people.”
Times reporters will be there to document the highs, the lows and the reactions in the room. A reporter for the Styles desk has also been assigned to cover the robust roster of after-parties around Washington.
Some off-duty reporters from The Times will also be present at this late-night circuit, though everyone remains cognizant of their roles, said Patrick Healy, The Times’s assistant managing editor for Standards and Trust.
“If they’re reporting, there’s a notebook or recorder out as usual,” he said. “If they’re not, they’re pros who know they’re always identifiable as Times journalists.”
For most of The Times’s reporters and editors, though, the evening will be experienced from home.
“The rest of us will be able to follow the coverage,” Mr. Stevenson said, “without having to don our tuxes or gowns.”
A former female staffer who worked for Beast Industries, the media venture behind the popular YouTube channel MrBeast, is suing the company, alleging she was sexually harassed and fired shortly after she returned from maternity leave.
The employee, Lorrayne Mavromatis, a Brazilian-born social media professional, alleges in a lawsuit she was subjected to sexual harassment by the company’s management and demoted after she complained about her treatment. She said she was urged to join a conference call while in labor and expected to work during her maternity leave in violation of the Family and Medical Leave Act, according to the federal complaint filed Wednesday in the U.S. District Court for the Eastern District of North Carolina.
“This clout-chasing complaint is built on deliberate misrepresentations and categorically false statements, and we have the receipts to prove it. There is extensive evidence — including Slack and WhatsApp messages, company documents, and witness testimony — that unequivocally refutes her claims. We will not submit to opportunistic lawyers looking to manufacture a payday from us,” Gaude Paez, a Beast Industries spokesperson, said in a statement.
Jimmy Donaldson, 27, began MrBeast as a teen gaming channel that soon exploded into a media company worth an estimated $5 billion, with 500 employees and 450 million subscribers who watch its games, stunts and giveaways.
Mavromatis, who was hired in 2022 as its head of Instagram, described a pervasive climate of discrimination and harassment, according to the lawsuit.
In her complaint, she alleges the company’s former CEO James Warren made her meet him at his home for one-on-one meetings while he commented on her looks and dismissed her complaints about a male client’s unwanted advances, telling her “she should be honored that the client was hitting on her.”
When Mavromatis asked Warren why MrBeast, Donaldson, would not work with her, she was told that “she is a beautiful woman and her appearance had a certain sexual effect on Jimmy,” and, “Let’s just say that when you’re around and he goes to the restroom, he’s not actually using the restroom.”
Paez refuted the claim.
“That’s ridiculous. This is an allegation fabricated for the sole purpose of sparking headlines,” Paez said.
Mavromatis said she endured a slate of other indignities such as being told by Donaldson that she “would only participate in her video shoot if she brought him a beer.”
“In this male-centric workplace, Plaintiff, one of the few women in a high-level role, was excluded from otherwise all-male meetings, demeaned in front of colleagues, harassed, and suffered from males be given preferential treatment in employment decisions,” states the complaint.
When Mavromatis raised a question during a staff meeting with her team, she said a male colleague told her to “shut up” or “stop talking.”
At MrBeast headquarters in Greenville, N.C., she said male executives mocked female contestants participating in BeastGames, “who complained they did not have access to feminine hygiene products and clean underwear while participating in the show.”
In November 2023, Mavromatis formally complained about “the sexually inappropriate encounters and harassment, and demeaning and hostile work environment she and other female employees had been living and experiencing working at MrBeast,” to the company’s then head of human resources, Sue Parisher, who is also Donaldson’s mother, according to the suit.
In her complaint, Mavromatis said Beast Industries did not have a method or process for employees to report such issues either anonymously or to a third party, rather employees were expected to follow the company’s handbook, “How to Succeed In MrBeast Production.”
In it, employees were instructed that, “It’s okay for the boys to be childish,” “if talent wants to draw a dick on the white board in the video or do something stupid, let them” and “No does not mean no,” according to the complaint.
Mavromatis alleges that she was demoted and then fired.
Paez said that Mavromatis’s role was eliminated as part of a reorganization of an underperforming group within Beast Industries and that she was made aware of this.
Lululemon, the yoga pants and athletic clothing company, has hired a former executive from a rival, Nike, as its new chief executive.
Heidi O’Neill, who spent more than 25 years at Nike, will take the reins and join Lululemon’s board of directors on Sept. 8, the company announced on Wednesday.
The leadership change is happening during a tumultuous time for Lululemon, which had grown to $11 billion in revenue by persuading shoppers to ditch their jeans and slacks for stretchy leggings. But lately, sales have declined in North America amid intense competition and shifting fashion trends, with consumers favoring looser styles rather than the form-fitting silhouettes for which Lululemon is best known.
“As I step into the C.E.O. role in September, my job will be to build on that foundation — to accelerate product breakthroughs, deepen the brand’s cultural relevance, and unlock growth in markets around the world,” Ms. O’Neill, 61, said in a statement.
Lululemon, based in Vancouver, British Columbia, has also been entangled in a corporate power struggle over the company’s future. Its billionaire founder, Chip Wilson, has feuded with the board, nominated independent directors and criticized executives.
Lululemon’s previous chief executive, Calvin McDonald, stepped down at the end of January as pressure mounted from Mr. Wilson and some investors. One activist investor, Elliott Investment Management, had pushed its own chief executive candidate, who was not selected.
The interim co-chiefs, Meghan Frank and André Maestrini, will lead the company until Ms. O’Neill’s arrival, when they are expected to return to other senior roles. The pair had outlined a plan to revive sales at Lululemon, promising to invest in stores, save more money and speed up product development.
“We start the year with a real plan, with real strategies,” Mr. Maestrini said in an interview this year. “We make sure decisions are made fast.”
Lululemon said last month that it would add Chip Bergh, the former chief executive of Levi Strauss, to its board to replace David Mussafer, the chairman of the private equity firm Advent International, whom Mr. Wilson had sought to remove.
Ms. O’Neill climbed the organizational chart at Nike for decades, working across divisions including consumer sports, product innovation and brand marketing, and was most recently its president of consumer, product and brand. She left Nike last year amid a shake-up of senior management that led to the elimination of her role.
Analysts said Ms. O’Neill would be expected to find ways to energize Lululemon’s business and reset the company’s culture in order to improve performance.
“O’Neill is her own person who will come with an agenda of change,” said Neil Saunders, the managing director of GlobalData, a data analytics and consulting company. “The task ahead is a significant one, but it can be undertaken from a position of relative stability.”
-
Pittsburg, PA5 minutes agoCalifornia High School Football: Pittsburg releases schedule
-
Augusta, GA11 minutes agoValette Earns Elite 18 Award; Augusta Men’s Tennis Lands Three on Peach Belt All-Conference Teams – Augusta University
-
Washington, D.C17 minutes agoHow to find towed car in DC; What to do if the city tows my car
-
Cleveland, OH23 minutes agoCleveland News and Notes – Guardians Drop Series Against Astros
-
Austin, TX29 minutes ago
Athletes Race at USA Triathlon Cross National Championships in Austin, Texas
-
Alabama35 minutes agoAlabama boy’s secret Facebook post asking for cancer drug grabs national attention
-
Alaska41 minutes agoDemocratic U.S. House PAC has Alaska in its sights
-
Arizona47 minutes agoArizona Diamondbacks Gameday Thread, #25: 4/23 vs. White Sox