CrowdStrike will be liable for damages in France, based on the OVH precedent

Original Article ↗ Hacker News Discussion ↗

Scope of Liability and Jurisdictions

  • Many commenters expect CrowdStrike to face significant liability in France and possibly elsewhere, noting that generic liability waivers often don’t override local law, especially in the EU.
  • Some argue B2B contracts and “sophisticated parties” will limit recovery, especially where contracts disclaim responsibility; others counter that gross negligence often cannot be disclaimed.
  • OVH precedent is debated: some think it clearly supports liability (service failed its basic purpose), others say it’s not directly comparable since OVH involved permanent data loss, while CrowdStrike “only” caused downtime.
  • Several note cross‑border enforcement options: local assets can be seized, and judgments can be registered in other countries; many states also have treaties to facilitate this.
  • There is skepticism that courts will award damages large enough to be company‑ending, though some think that would be appropriate given the scale.

Responsibility: Vendor vs Customers

  • Strong criticism that CrowdStrike shipped a kernel‑privileged component without robust parsing, staging, canaries, or “stop crash loop” logic. This is widely labeled as negligent.
  • Others emphasize customer responsibility: critical infrastructure relying on a single EDR vendor, auto‑updating across all machines at once, and weak disaster‑recovery planning.
  • Some argue hospitals and similar entities should never have allowed such a black‑box, high‑privilege agent on life‑critical systems; others point out CrowdStrike’s own terms say it’s not for such use.

Monoculture and Systemic Risk

  • Repeated concern about Windows and a single EDR platform dominating critical infrastructure; a single bug took down large swaths of the world at once.
  • Several call for more OS diversity and architectural redundancy, while others note dual independent stacks for complex sectors like healthcare may be economically unrealistic.

EDR Tools, Security Model, and Alternatives

  • Deep thread on why EDR exists at all: OS‑native controls (e.g., Windows Defender, Linux hardening) are seen by some as insufficient, especially against user‑initiated malware and insider threats.
  • Others view EDR as “snake oil” that adds huge attack surface and reliability risk, arguing for simpler designs: strong roots of trust, immutable images, strict allow‑listing, and better OS‑level protections.
  • Debate over whether third‑party tools outperform Microsoft’s Defender; some cite industry evaluations, others say evidence is thin and marketing‑driven.

Reputational and Practical Fallout

  • Consensus that CrowdStrike’s reputation is badly damaged, regardless of formal liability.
  • The $10 gift card gesture is widely ridiculed; some suspect it was legal positioning, others note it was for partners, not customers.