Information systems|Data security expert Petteri Järvinen is amazed that a simple mistake was not noticed in advance.

World stopped at the end of July due to a rudimentary error by the information security company Crowdstrike, describes the information security expert Petteri Järvinen.

On July 19, Crowdstrike’s botched security update brought down 8.5 million devices running Microsoft’s Windows operating system, causing massive technical problems around the world.

Due to the disturbance, thousands of flights had to be canceled, among other things. There were also problems in, for example, train traffic, banking services, healthcare systems and television channel broadcasts.

Crowdstrike released a report this week explaining the technical cause of the disruption.

Petteri Järvinen according to the report reveals gaps in the way Crowdsrike tests its software.

According to the report, the July 19 update included 20 definitions when the security program was instructed to read 21 values ​​from the file. So one was missing.

“From a programming perspective, this is a very basic mistake,” says Järvinen.

Unlike applications, the security program works in the core of the operating system. It is the only place where the security program can monitor the activity of other applications.

Missing the last value caused the security program to crash.

“It then had catastrophic consequences”, states Järvinen.

How how did it happen? The report does not directly answer that.

The renewed program came into use in February. It had been updated several times during the spring and summer. Since the updates specified a maximum of 20 values, the problem was not detected.

Järvinen thinks that at some point in the company’s process, the idea of ​​how many parameters can be at most in the update data file has been lost.

Järvinen not surprised that mistakes happen in a complex chain. However, he is surprised by how the error has not been noticed.

According to Järvinen, you usually protect yourself from similar mistakes by testing all possible combinations. Even those that should not be encountered in practice.

In addition, programs almost always have a built-in ability to investigate and identify errors. When an error is detected, the program should be able to decide what to do next. In the case of July, this did not happen.

“The system should have informed in a controlled manner that there are too many values ​​and therefore the protection is not in use, but let’s continue the execution of the program.”

The report states that internal error checking has now been added to the system. Järvinen wonders why it wasn’t there in the first place.

The report based on this, it seems that there was no intention or, for example, hacking behind the disruption in July.

According to Järvinen, it is unlikely that a similar mistake would be repeated, at least for the same company.

He thinks the incident also shook all information security companies to think about their own processes and quality assurance.

“There are a million other possibilities for making mistakes if you are careless or in a hurry. I have to hope that all information security companies learn from this.”

Case showed that a small mistake can have enormous consequences. According to Järvinen, one missing line or revision can paralyze the entire Western society.

“Luckily no one died this time.”

Järvinen does not believe that Crowdstrike will open up the issue further than the report that has just been published.

“It may be that more detailed internals will be demanded in court proceedings explanations.”