rich1.0Hector Martin (npub1qk…9azpx)https://yabu.me/npub1qk9x6yrvten3jqyvundn7exggm90fxf9yfarj5eaz25yd7aty8hqe9azpxnjumphttps://yabu.meOne story going around is that the CrowdStrike fail was a file corrupted during postprocessing, between internal testing and the update CDN. That implies an epic process or design failure. One of the following has to be true - They don't sign updates - They do sign updates, but only after internal testing, and never test the final signed files in a production-equivalent setup (bonus: if this is true, their prod signing process is probably automated and not carefully controlled, and could be abused by an insider) - They do sign updates, but the parsing code that runs *before* signature verification is not carefully audited and has bugs that BSOD on malformed input. Any one of those is completely unacceptable for a security product.