Business
Column: The CrowdStrike meltdown reminds us that the hacking problem doesn't come only from outside
Just last Wednesday, I posted a column reporting how our richest corporations, through sheer miserliness and profit-seeking, left millions of Americans vulnerable to technological attacks on their privacy and welfare.
I failed to raise one important question: What if the attacks come from inside the house?
That’s exactly what happened Friday. An ineptly designed update to a program rolled out by the cybersecurity company CrowdStrike and installed automatically on users’ machines instantly crashed millions of computers running Microsoft programs and left them disabled until manual fixes could be undertaken. Some haven’t been fixed yet.
Crowdstrike seemingly borrowed Boeing’s approach to quality control.
— Business blogger Ed Zitron
The fallout reached worldwide and affected people across the modern technological landscape. Thousands of flights were canceled. Doctors couldn’t perform surgeries. Banking transactions were frozen. Emergency 911 lines went silent.
The affected computers displayed what Microsoft Windows users know as the dreaded “blue screen of death.” Typically, this is a baby-blue screen bearing the message that Microsoft’s operating system hadn’t loaded correctly and the machine should be restarted.
That didn’t work this time: The errant CrowdStrike application was burrowed so deep within the Microsoft operating system — as it’s designed to do — that every time a machine restarted, it ran into the same glitch and went dead again in an infinite doom loop.
The CrowdStrike program — irony of ironies — is an anti-hacking application that identifies hacking attempts and fights them off. In the cat-and-mouse game pitting computer users against hackers, such applications have to be updated regularly. They reside in the bowels of the operating system, because in order to be effective, they have to load before almost any other function.
In this case, a coding error in the update delivered an order to the operating system that caused the system to shut down.
That’s a simplified explanation of what happened. Now let’s look at the lessons this episode teaches us — if we’re willing to learn them.
They have to do with our complacency about our dependence on digital systems, including those distributed by developers we’ve never heard of (CrowdStrike, for instance).
What few people are aware of as they go about their lives is how much crucial digital infrastructure is based on Microsoft programs and applications, and how much of those are supplemented by third-party programs and applications.
All of this must work together to work smoothly — or to appear to work smoothly. Here and there something goes wrong, but its ramifications are sufficiently constrained that it can be rectified quickly, and even invisibly.
A great deal of it, furthermore, is automated; it’s designed to run with a minimum of human intervention. In the view of the IT departments that are expected to monitor all this, humans are perpetual money pits — they need days off, get sick, demand raises, quit and must be replaced by newbies needing training, etc., etc. By comparison, machines look like a one-time capital expense — set it and forget it, is the goal.
Microsoft is the hub of these networks because Microsoft made them its business. It created an open architecture for third-party developers to piggyback on; the fundamental idea was that by extending the system’s capabilities, those other developers made Microsoft’s central system more valuable. Microsoft either outsourced some functions to independent developers, or allowed them to design applications that competed with Microsoft’s versions — but those still were designed to work with Microsoft operability.
Among those developers is Austin, Texas-based CrowdStrike, one of countless firms offering cybersecurity services to Windows users. (Microsoft’s own cybersecurity suite is known as Defender.)
Apple computers and devices don’t have the same vulnerabilities because that company does almost all its extensions in-house, and keeps a very close eye on what it allows to interact with its software and hardware; the company doesn’t allow outside applications to interact with its operating system at the fundamental level available with Microsoft’s systems.
But Apple doesn’t have anywhere near as large a footprint in enterprise services as Microsoft. A report issued in March by the government’s Cyber Safety Review Board about a major hacking intrusion into Microsoft’s cloud system in March 2023 asserted that the company’s “ubiquitous and critical products … underpin essential services that support national security, the foundations of our economy, and public health and safety.”
Anyone living in the modern world has to confront the drawbacks of our reliance on digital technology on almost a daily basis. In prehistoric days, back when our household appliances were mechanical or electric, not electronic, a breakdown was easy to diagnose and fix — switch out a tube or tighten a screw.
When a device ceases to function today, it’s often impossible to pinpoint the fault — did my TV go bad, or did the internet go down, or was it just the channel I was watching?
Yet many of us rely on a single company for multiple services. For example, I get my home phone service, broadband internet, and television/video (broadcast and cable channels and streaming) from a single provider. I don’t have much choice, since for most of these it’s the only provider in my neighborhood. But when it goes down, everything goes down.
That provider, Spectrum, has tried to sell me on its mobile phone service too. I’ve refused, because I figure I need at least one thread of access to the outside world that isn’t dependent on its all-in-one monopoly.
Microsoft’s near-dominance of cloud computing — the ecosystem through which all those enterprise computers that went dead last week communicate with each other and with the outside world — should make all of us queasy, because the company’s cybersafety record is atrocious.
The Cyber Safety Review Board investigation concluded that the March 2023 hack occurred because “Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The board mentioned, among other things, a “cascade of … avoidable errors” in the company’s cybersecurity program, its failure to detect the compromise by hackers of its own “cryptographic crown jewels,” but only acted after a customer — the U.S. State Department — discovered the incursion itself.
The board found that Microsoft’s security practices were inferior to those of “other cloud service providers.” The report mentioned Amazon, Google and Oracle as Microsoft rivals in cloud services with better security systems.
Microsoft pledged to “adopt a new culture of engineering security in our own networks” and said it had “mobilized our engineering teams to identify and mitigate legacy infrastructure, improve processes, and enforce security benchmarks.”
The CrowdStrike crash suggests that those efforts are still works in progress. It’s fair to say that much of the blame belongs to CrowdStrike, which allowed an update to a crucial application to be sent to users for automatic installation without doing the testing necessary to ensure that the update was operationally bulletproof.
Technology blogger Ed Zitron properly tied the disaster to the financialization of Big Business generally, in which pumping ever higher profits to shareholders becomes a higher priority than ensuring that one’s products meet quality standards.
“Crowdstrike seemingly borrowed Boeing’s approach to quality control,” Zitron wrote, “except instead of building planes where the doors fly off at the most inopportune times (specifically, when you’re cruising at 35,000ft), it released a piece of software that blew up the transportation and banking sectors, to name just a few.”
CrowdStrike Chief Executive George Kurtz moved promptly to “sincerely apologize” to all affected users, via a statement and an appearance on the NBC “Today” show. “We quickly identified the issue and deployed a fix, allowing us to focus diligently on restoring customer systems as our highest priority,” Kurtz said in a posting on the company’s website.
Microsoft placed the blame chiefly on CrowdStrike. “Although this was not a Microsoft incident, given it impacts our ecosystem, we want to provide an update on the steps we’ve taken with CrowdStrike and others to remediate and support our customers,” David Weston, a vice president for enterprise and security, wrote on the company’s website.
But Microsoft, plainly, failed to take on board the necessity of vetting every piece of third-party software that could have an effect on its own customers — before it blew up their computer systems.
No software system is immune from errors, especially now that they’re so complex and multilayered that not even their developers may know all their weak spots. (An error at Amazon’s cloud service incapacitated as many as 150,000 websites for several hours in February 2017 — a major problem, but not nearly on the scale of the CrowdStrike crash.)
But as these systems play an ever expanding role in modern life even as they become more complex, it’s incumbent on their providers to make security and safety their top priorities, not merely mouth the concept in marketing material without actually taking it seriously.
Cloud clients also need to pay more attention to what is getting automatically inserted into their systems. Who has the right to gloat over escaping the CrowdStrike meltdown last week? Amusingly, it’s Southwest Airlines. For decades, Southwest resisted Microsoft’s urgings that it upgrade its systems to the latest versions of Windows, relying on Windows 3.1, which is 32 years old — so antique that the CrowdStrike update wouldn’t even work on the airline’s systems.
So while affected carriers such as Delta, United and American had canceled nearly 2,400 flights by 6 p.m. Friday, Southwest had canceled three. (By midday Monday, the number of canceled flights reached beyond 12,300.) That doesn’t mean that Southwest gets everything right. After all, the airline suffered more than its competitors from the ferocious storm in December 2022 that snarled air traffic nationwide — precisely because it had not paid enough attention to keeping its computer systems updated.
In this case, however, Southwest’s cheapskate culture was its savior. That may only put it on the same level as the proverbial blind squirrel that occasionally finds a nut. But it shows that all of our Big Business squirrels need to keep their eyes open, and focused on the perils of inattention.
A rule intended to prevent rent gouging in the wake of the Eaton and Palisades fires has lapsed in Los Angeles County, possibly exposing some renters to hikes.
The executive order that blocked rent increases was issued by Gov. Gavin Newsom amid the devastating wildfires last year. Under the order, landlords couldn’t increase rents by more than 10% above their prefire levels.
The rule, which was supposed to be temporary and was repeatedly extended, ended Friday after a vote to extend it again failed to garner enough votes. Supervisor Lindsey Horvath, whose district includes Pacific Palisades, sounded the alarm in a motion to extend price protections that failed to pass at the Board of Supervisors’ May 19 meeting.
“These price gouging protections continue to be necessary as construction and rebuilding continue, and as thousands of people remain displaced,” the motion said. “Families which signed short-term leases could face drastic price increases of 50% or more without further price gouging protection.”
Los Angeles County is home to more than 1 million rental properties, though not all of them needed protection from the new rule. There are already stricter rent increase caps for many residences, depending on the location, type and age of the building. Despite the rent control in the region, the people of Los Angeles pay among the highest rents in the country.
It is uncertain whether renters will face rapidly rising rents now that the protection has lapsed. But some real estate experts and policymakers said there was no need for the temporary rule that was part of the governor’s state of emergency.
Supervisors Kathryn Barger, Janice Hahn and Holly Mitchell abstained from voting on the motion to extend the protection, while Supervisors Hilda Solis and Horvath supported it.
“I abstained because I did not see sufficient evidence to justify extending this emergency ordinance, nor did I see evidence to eliminate it entirely,” Hahn said.
Barger’s office said she supported allowing the protections to sunset while waiting to see whether new information emerged.
“Market data already shows countywide rents are only about 2% above pre-emergency levels and rental inventory has grown,” Barger representative Helen E. Chavez Garcia said. “The Supervisor is also mindful of the burden these ongoing protections place on small property owners throughout the county.”
Mitchell did not immediately respond to a request for comment.
There haven’t been steep rent hikes in neighborhoods within three miles of the Palisades fire, according to a Times analysis of data from Zillow, the property listing company.
In ZIP Codes within three miles of the Palisades fire, rent increased 4.8% from December 2024 to April 2025. In areas around the Eaton fire, which destroyed swaths of Altadena, rent jumped 5.2% in the same period.
In L.A. County, ZIP Codes farther from the fires saw only about a 2% increase.
A landlords representative, Jesus Rojas of the Apartment Owners Assn. of Greater Los Angeles, told the supervisors during public comment at the meeting that the county’s rent-gouging rules have “long outlived the emergency they were intended to address” and are now being “wrongfully used to harm thousands of rental housing providers throughout the county.”
“There is no proof that multifamily rental housing providers are hugely increasing rents for impacted homeowners,” Rojas said.
Indeed, there are strong signs that the property market in the Los Angeles area has at last begun to cool.
L.A. metro-area rent prices recently fell to a four-year low, with the median rent slipping to $2,167 in December.
Meanwhile, condominium sales had their slowest start of the year in decades. Condo sales in Los Angeles have plummeted to a 20-year low, with fewer than 2,000 units sold in January and February — the worst start to the year since 2005.
Newsom defended the price-gouging protections shortly after they went into effect.
“In the days following the Los Angeles firestorms, we worked quickly to protect Los Angeles survivors from any form of exploitation,” he said in February 2025. “The state has the tools in place to not only block price gouging during this emergency, but also to prosecute bad actors.”
The Los Angeles County Department of Consumer and Business Affairs said it received more than 2,000 complaints after the fires, alleging that retailers and landlords were taking advantage of people put in hardship by their losses, and sent out more than 2,000 cease-and-desist letters to businesses and landlords for alleged price gouging, said Morine Merritt, who oversees department investigations into consumer and real estate fraud.
“Close to 90% of the complaints that we received involved allegations of rent increases,” Merritt said in an interview. Now that the fire-related protections have expired, existing laws and “regular market conditions determine price increases for goods and services, including rents,” she said.
Crackdowns on fire-related rent gouging have been rare, said Chelsea Kirk of the activist organization the Rent Brigade, which analyzed L.A. County’s rental market in the year after the fires. It reported 18,360 potential examples of price gouging in listings but said that few lawsuits had been filed by authorities so far.
Last week, Rent Brigade announced what it said was the first private civil lawsuit brought by a family that claimed to be rent-gouged in the aftermath of the wildfires. Plaintiffs Randall and Candy Renick, whose Altadena home was damaged, said they were charged nearly three times the maximum permitted rate for nearly 10 months. They seek restitution of $96,000 plus civil penalties and attorneys’ fees.
The rental market has probably stabilized since the fires, Kirk said, but other families may still be “locked into illegal rents” that they agreed to pay when they were in a rush to find housing after they were displaced.
Dear Mr. Pelley:
I meant what I said in my letter last week to the 60 Minutes team: joining 60 Minutes is the honor of my career and I am grateful to be working alongside the people who have contributed to the most important television journalism brand this country has ever produced. While I’m new to 60 Minutes, I’ve devoted my career to investigative journalism and storytelling. I started this job excited to collaborate and to benefit from the wisdom and experience of the 60 Minutes veterans, with you among them. For that reason, one of the first things I did in my new role was call you to talk and invite you to dinner. It is a profound disappointment that you rejected that overture and chose ambush instead. Yesterday, you hijacked my first meeting with staff to disparage me, my qualifications, and my intentions with remarkable incivility and contempt. I welcome a diversity of viewpoints and respectful debate among the team, but this was nothing of the sort. Yesterday’s performative display of hostility enacted in front of the staff instead of in a civil, private conversation-demonstrated that you have no interest in contributing to the future success of the show, or approaching my new tenure with a mind open to collaboration and progress. I am here to deliver first-in-class news programming, not to make headlines about newsroom drama. I am eager to work alongside those who share this goal.
Despite yesterday’s misconduct, I had hoped that in sitting down with you today we could find a path forward together. You made clear that you are not interested in such a path.
Your antipathy to the future of the show has come through loud and clear. And I have heard you. I therefore write on behalf of CBS News, Inc. (“CBS”) to inform you that your employment with CBS is terminated for cause effective immediately. Enclosed is your formal termination letter.
Sincerely,
Nick Bilton
Executive Producer, 60 Minutes
The co-founder of Aspiration, Joseph Sanberg, was sentenced to 14 years in prison on Monday after defrauding investors and lenders of over $248 million.
The startup, an eco-friendly digital banking company boasting fossil fuel-free investments, carbon offsets for gas purchases, and a debit card with cash-back benefits for shopping at clean companies, was founded by Sanberg and Andrei Cherny. Cherny left the company in 2022 and has not been charged.
Sanberg, an Orange County native, pleaded guilty to wire fraud in October after being arrested in March last year. Aspiration subsequently filed for bankruptcy and liquidated all of its assets by July.
Sanberg and venture capitalist Ibrahim AlHusseini, who also faces charges, together forged a series of bank statements in order to obtain loans. From 2020 to 2021, the pair forged AlHusseini’s bank statements to show millions of dollars in assets in order to obtain millions of dollars from lenders.
Additionally, they forged a letter from their audit committee stating that $250 million in funds were available, when in reality Aspiration had less than $1 million. The amount of loans defrauded exceeded $248 million.
In 2021, Sanberg artificially inflated Aspiration’s 2021 revenue by $44 million by recruiting 27 fake customers to sign letters of intent pledging tens of thousands of dollars per month for tree planting services. Sanberg himself funded the contracts and used the inflated revenue numbers to obtain more loans.
The charges sparked an NBA investigation into salary cap allegations due to Aspiration’s connections with Clippers owner Steve Ballmer.
Ballmer personally invested $60 million in Aspiration, all of which was lost. He is now the target of a civil lawsuit alleging his participation in the scheme. Ballmer denies the allegations.
The team announced a $300-million sponsorship deal with Aspiration, and Clippers player Kawhi Leonard signed a four-year, $28-million marketing contract with the company, which reportedly performed no duties. The issue has raised concerns about how players are circumventing the NBA’s salary cap.
The team lost the $300-million sponsorship deal and an additional $20 million paid for carbon offset purchases.
-
Los Angeles, Ca39 minutes agoPolice investigate deadly stabbing in Tarzana; suspect in custody
-
Detroit, MI59 minutes agoDetroit Tigers sweep Tampa Bay Rays in win as Dillon Dingler stays hot
-
San Francisco, CA1 hour agoRetired San Francisco firefighter dies from lung cancer after Blue Shield denies treatment claims
-
Dallas, TX1 hour agoTrackdown: Dallas 7-Eleven robbery suspect wanted
-
Miami, FL1 hour agoThis new Italian restaurant in Brickell only has 10 items on the menu
-
Boston, MA1 hour agoVisiting Boston this summer? Here are 8 navigation tips you need to know.
-
Denver, CO1 hour agoDenver-ish Central Market? RiNo food hall vendors claim they’ve been pushed out
-
Seattle, WA2 hours agoNew Ben & Jerry’s location opening at Seattle waterfront’s Pier 54
