‘ On Wednesday, some of the people who posted about the gift card said that when they went to redeem the offer, they got an error message saying the voucher had been canceled. When TechCrunch checked the voucher, the Uber Eats page provided an error message that said the gift card “has been canceled by the issuing party and is no longer valid.”’
Kitboga is a well-known streamer whose entire schtick is wasting scammers' time. He uses a voice changer and has a very thorough setup of fake websites including Google, the Google Play store, a bank, and more, as well as fake screen sharing tricks that show him exactly what a scammer is trying to do when they use a remote-access tool to access his system. When they use their RAT to black out his screen so they can hide DOM manipulation in the browser or something, he can actually watch them do it.
In the video above, at about 53:00 in, Kitboga "redeems" the fake Google Play Store card that he "bought" rather than letting the scammer copy the numbers.
One thing he's shown many times is how persistent scammers can be. One time he hit the password reset on his fake bank and made the scammer help him solve a password game. https://youtu.be/wkLPk2tmyNI
Am I correct in interpreting that they canceled a multi-use code after it was shared publicly? I think that would be quite reasonable and an insignificant offense compared to pushing code that breaks your clients' computers or offering $10 of compensation for having done so.
If I'm ever part of a company that causes an outage like this I will resign immediately and offer to help as a consultant for an immediate 5-figure cash retainer. I can't imagine how many devs at CS likely went into full overdrive and aren't getting paid for it.
Not quite enough? The last time I had a "discount" for Uber Eats, it was a $15 meal with so many fees on it that AFTER the $30 discount, I still needed to pay $35. Cancelled.
Yes, Uber Eats is so expensive it feels like they could give away $10 vouchers and still make a handsome profit. I wonder how much CrowdStrike paid for these vouchers? Surely nothing like $10 each.
Maybe someone in Uber's marketing department was very clever and saw this opportunity. "He Crowdstrike, we see that you are having a bad week. How about we help you out with free gift cards for your customers. That will help fix up the relationships". Or maybe they even paid Crowdstrike.
£7.75 GBP, ill admit i haven't used Uber eats in years because the prices are insane but im not sure that covers much more than the delivery fee.
(Also, people who want McDonalds 20 minutes after it was remotely edible and shaken to shit on the back of a moped, who are you? I see the bikes everywhere but have never met one of you irl)
This reminds me of something that happened at a former employer. After I had been employed there for a couple of years, someone in HR or Legal noticed that the programmers had never signed any "our code belongs to the company" agreement. So they asked us to sign a paper to that effect, and gave us each a check for $20. My thought was that I always assumed the company owned this code, but if they were going to pay for it, then $20 was waaaay too little. Anyway I took the $20, signed the paper, and got back to work. But it always gave me a chuckle.
This is because it's a contract oddity - if they told you to sign it but offered nothing; you could challenge it in court, and the courts have often said a "one-sided contract" is not valid (e.g., you give me copyright I give you nothing).
The $20 is "due consideration" - just like how some deals involve selling an item for a dollar.
Any contract requires consideration. Without it, it's not a valid contract. It doesn't require fair consideration, so a clause giving e.g. $1 is typical for many contracts. They were nice and bumped it up to $20.
I suspect your work DID belong to the company already, under work-for-hire doctrine, but an explicit contract avoids that ambiguity. Ambiguity can be bad and super-expensive, whether during litigation or even something like an audit. If someone is buying a company, investing, making a major loan, that's the kind thing which comes up in due diligence and can be annoying.
So I don't think they were paying you for the code, so much as trying to come into compliance. Very likely, this was triggered by some similar audit for some deal they were trying to make.
You think the $20 was consideration, and yet you think they were not paying for the code? Aren't these the same thing?
> Ambiguity can be bad and super-expensive
If the corporation had some ambiguity in their favor, I expect they would call it "value" and ask for as much as they could get to remove it. But if the ambiguity is in favor of an employee or client, let's remove it for a token $20. Ugly society this one is.
$20 consideration for reducing legal ambiguity around code they already own. Even if it's almost guaranteed to roll in favor of the employer, simply having to litigate it is enormously expensive. Such litigation would be detrimental to everyone but the lawyers, but that won't stop people from thinking they have a case.
I'm with you, companies will always look out for their own interests, but when clarification minimizes logistical waste, it's possible to benefit everyone.
The ambiguity is not in the favor of anyone except lawyers. As an employee, you can:
1) Spend $100k in litigation to discover your boss owns the code
2) Get $20
Fights don't benefit anyone. Some companies would act like dicks and "ask for as much as they could get to remove it," but in most cases, that's not what happens either. A company like that would never get repeat business. Coincidentally, some employees do the same, with similar consequences. And there are employers everyone knows not to work for.
Resolving this sort of thing for a buck -- in the way a court would rule -- is really standard common-sense practice.
Interesting. I worked for a company that got bought by another company. Pretty much everyone was a salaried employee with a standard employment contract. There was no formal rehire process, but at some point the new company did the same thing as OP's company, saying that anything we produce at work or with work resources belongs to the company. But with an added "no moonlighting" clause.
We did not get any consideration, cash, or gift cards. Instead we were told that if we didn't sign the new company's mandatory agreements, our employment status could be up for review.
That's exactly it. The $20 is not an assessed value of the code; it's to establish consideration. $1 would have been legal. It's legal to make asymmetric contracts that benefit one party more than the other, just not contracts that are completely one-sided. They probably did $20 just so it wouldn't seem quite as insulting.
Anytime you see stories of "[insert name of rich CEO or politician] takes salary of only $1", that's why. They can't work literally for free, or the rest of the contract becomes nonbinding.
If you are assigning me some rights or an entire piece of IP, I must provide you with some consideration (monetary compensation) for that to be a valid contract. You cannot simply “gift” it to me.
So I would, as part of the contract, hand over $1 or $20 to establish that I have skin in the game and have paid for this contract be valid. The consideration could be stock and other things, but it can’t be null.
At arm's length mean, it must be an adequate amount. For example, I can sell a 10 Million dollar home in most jurisdictions to you for 1 USD. While this contract may be valid, it may create tax liabilities because the tax authorities will say this was not a sale, this was a gift.
As a counter example: In many jurisdictions, a work contract that specifically request lots of overtime or forbids working for a competitor in the future would require a significant extra payment and not 1 USD. 1 USD would not be considered at arm's length.
Sure, agreed. That is not the case that is being referred to here, where someone was assigning over IP that they had built while employed by the company but without an explicit agreement about who owns that IP. In this case, $1 or $20 would have been completely fine, as it was consideration for past IP. The work had already been paid for (salary, benefits, etc).
* Contract law does not require arm's length. A contract for $1 is okay.
* Tax law may require arms length.
* I've never heard of arm's length in employment law, but there are laws which lead to what you describe (e.g. mandatory overtime pay, minimum wage, etc.). In some jurisdictions, there are limitations on how much an employer can change the terms of employment. If you hire me for $100k, and after I quit my old job a week into the new one, you give a pay cut to $80k and otherwise change the terms of the deal, that might not be okay.
Consideration is generally money (but more generally and dangerously something actually received in exchange for giving away something else in the contract.) It can't be a binding contract if there is no exchange such as merely signing away the code.
The comment was US-specific. Similar doctrines are found though in Canadian, British, and continental European (though not so much in Scandinavian systems which often do allow totally one-sided contracts in the idea that promises are binding but with other limiting factors).
The idea in systems which have this rule is that contracts are exchanges of promises and there must be an exchange in order to be valid.
Watch out for "work-for-hire doctrine" erm... assumptions.
Last time I looked work-for-hire law only takes effect if there is explicit mention of the term "work-for-hire" in the contract, otherwise it's not "work-for-hire". And I have never seen a contract actually mention "work-for-hire".
Do current employment contracts state "work-for-hire"?
Ohhh, I was wrong. Seems there are two categories where work made for hire applies. One is specifically for work made by an employee (with some constraints / definitions on that) for work made within their scope of employment. The other category requires explicit mention of "work for hire".
So that a conventional employee is covered, but a contractor / consultant with a separate business probably isn't.
Salary in this case would serve as the consideration for the work they perform, but lawyers love making things as explicit as possible (understandably).
They already paid you for the code, so it's already theirs, they are just making it explicitly stated. If you don't sign it, they end your employment. And the odds of them willing to lose employment over this and trying to claim the company's code as their own and that getting to court is near non-existent. But again as I said, lawyers like to make it explicit.
I agree with all of this, just my objections was to claiming the consideration being "the salary you already agreed to in order to sign your employee agreement" would not work therefore the token $20 amount.
This is also why companies will reward employees filing a patent application with a silver dollar. It's a nice token of appreciation but also fulfills the contract aspect of assigning rights.
My friends and I contracted to a company in 2004 to build a text message system. The company decided they didn't want to pay us the last month's bill. They'd spent all their money buying a custom Harley as a prize for the customers and now had nothing left.
We met with their CEO+CFO+lawyers and our lawyers. They were adamant they wouldn't pay the last payment. We pulled out our contract and showed they didn't own any of their code because there was no IP transfer in there. They said "We need a minute." We left the room, came back in and there was a check for the outstanding balance in the middle of the table.
No big deal. Crowdstrike is a poor company. Not much value to leverage. New company takes over and inserts their superior product. And bring value to their company.
I wonder when we'll start to have some estimate of indirect/direct death toll. This took down several 911 type services and hospitals, some reported imaging down, some being back to paper and pen at ER.
At least their domain is descriptive, that article is much to do about nothing -- civil cases aren't criminal cases with a boolean outcome. The award isn't recognition that the life was worth $4, it is a recognition that the defendant did just about nothing wrong.
I've begun referring to them as ClownStrike, given that so far they have seemed to act more like a bunch of circus clowns than an actual knowledgeable entity.
This tone deaf offer just reinforces the impression that they are just a bunch of clowns.
50 years from now, unclassified documents reveal that crowdstrike was secretly a CIA controlled business which was operating an offensive botnet created for the anticipated cyberwar, with a peacetime cover story of being security software with automatic updates. Everybody rolls their eyes and asks how anybody ever fell for that when the name openly says what it is.
Probably bullshit, but honestly... Wtf is up with the name?
It's a dumb name and I've already wasted a considerable amount of time looking for an explanation but to no avail. Sounds like something a group of seven year old boys would come up with because it sounded cool.
Why do you think this is BS? It perfectly explains the name and also why something like this is installed so ubiquitously and still installed despite such a massive screw up. Also offensive capabilities need wide deployment just as much as defensive. Cybersecurity and cyberwar is a real thing, and surely DDOS botnets are a core part of that.
Maybe it's controlled by the CIA, or maybe just has a quiet contract with USCYBERCOM and/or ARCCYBER.
I mean, people don't seem that concerned about all of the nuclear missiles and submarines, aircraft carriers, and US military bases everywhere. Computers and the internet are now part of that and have been for quite awhile. If you are invested in this system then you probably want that dominance to continue (otherwise you should probably start learning Chinese). In which case we probably need something like a "crowd strike" widely deployed on the monopoly OS so that we have offensive capabilities.
If you don't like that idea then why use Windows at all? Use Linux at least.
I don't think this is really conspiracy theory territory unless you are in denial that cyberwarfare exists or that the US must participate in it.
Curious who gets one. Like, a big company (airline, bank, etc) that had to hand touch 10,000+ devices across the world.
Crowdstrike is sending what? Like 15 $10 cards to the little area in IT that handles desktops/kiosks/atms/etc? Or the to the Cyber area that bought it, but mostly wasn't saddled with fixing the issue?
This is definitely worse than no gift card. Insulting. A general maxim: When something is a big deal, your response should make a bigger deal out of it than the complaints. $10 says "We don't think this matters." Now watch as everyone explains precisely why it does. PR 101 fail.
More like..."We recognize that we have a moral, ethical, and likely legal obligation to make things right and pay back the damage we have caused...but we're not going to."
“We are sorry. We really messed up with this deployment. In fact, we’ve questioned whether we should be alive, or whether we should have even been born at all. Heck, maybe none of this should exist.”
The only way I can imagine one-upping the detractors at this point.
Heh, at my last job my store was breaking all sorts of profit records and generally put every other store in the district to shame. I don't need to tell you that we worked hard for that.
Corporate sent us a $25 gift card. Not for each of us, one $25 gift card for a team of 8 people. We had made well over three million in sales that year. Felt like a slap in the face for a job well done.
I suppose you are downvoted because your last statement is not necessarily true. But you are right that the post is vague about how many people exactly received a gift card, since it only says that "partners" received a gift card. The thought that CrowdStrike sent one $10 gift card per partner company is hilarious. They botched the update and apparently they botched this narrative too.
People are just piling on here and I suspect there is a misunderstanding because this makes zero sense. The article is based on 4 tweets, 3 of which no longer exist. It’s a poorly researched and poorly written article based on largely non-credible sources.
Specifically, “partners” were getting gift cards and there is no mention of customers. It sounds more like they were throwing around gift cards to channel partners, MSP’s, contractors, etc. It’s still tone deaf but a far cry from a $10 apology to customers.
What fraction of the reporting is "CrowdStrike" versus "CloudStrike"? The first reporting I heard was "CloudStrike", but the company appears to be "CrowdStrike".
It'll be interesting if Cloud vs Crowd emerges as a Mandela Effect.
Other examples include memories of the respective title component of the Berenstain Bears children's books being spelled "Berenstein", the logo of clothing brand Fruit of the Loom featuring a cornucopia, Darth Vader telling Luke Skywalker, "Luke, I am your father" in the climax of The Empire Strikes Back (he actually says, "No, I am your father" in response to Skywalker's assertion that Vader killed his father), Mr. Monopoly wearing a monocle, and the existence of a 1990s movie titled Shazaam starring comedian Sinbad as a genie.
181 comments
[ 12.7 ms ] story [ 259 ms ] threadhttps://youtu.be/sRMMwpDTs5k
Kitboga is a well-known streamer whose entire schtick is wasting scammers' time. He uses a voice changer and has a very thorough setup of fake websites including Google, the Google Play store, a bank, and more, as well as fake screen sharing tricks that show him exactly what a scammer is trying to do when they use a remote-access tool to access his system. When they use their RAT to black out his screen so they can hide DOM manipulation in the browser or something, he can actually watch them do it.
In the video above, at about 53:00 in, Kitboga "redeems" the fake Google Play Store card that he "bought" rather than letting the scammer copy the numbers.
One thing he's shown many times is how persistent scammers can be. One time he hit the password reset on his fake bank and made the scammer help him solve a password game. https://youtu.be/wkLPk2tmyNI
Actually that'd be far better than if it were really Crowdstrike thinking $10 would resolve this.
So I believe OP cleverly circled that back around to the gift card. WP.
Just like they didn't plan for their testing infrastructure to have its infamous error.
While I do understand that this might have been sent by a department far removed from IT, it's still scary that they didn't think of possible abuse.
At least an Amazon gift card is near its cash value, when you account for the markup on food delivery that $10 is about 4 USD
(Also, people who want McDonalds 20 minutes after it was remotely edible and shaken to shit on the back of a moped, who are you? I see the bikes everywhere but have never met one of you irl)
The $20 is "due consideration" - just like how some deals involve selling an item for a dollar.
Any contract requires consideration. Without it, it's not a valid contract. It doesn't require fair consideration, so a clause giving e.g. $1 is typical for many contracts. They were nice and bumped it up to $20.
I suspect your work DID belong to the company already, under work-for-hire doctrine, but an explicit contract avoids that ambiguity. Ambiguity can be bad and super-expensive, whether during litigation or even something like an audit. If someone is buying a company, investing, making a major loan, that's the kind thing which comes up in due diligence and can be annoying.
So I don't think they were paying you for the code, so much as trying to come into compliance. Very likely, this was triggered by some similar audit for some deal they were trying to make.
> Ambiguity can be bad and super-expensive
If the corporation had some ambiguity in their favor, I expect they would call it "value" and ask for as much as they could get to remove it. But if the ambiguity is in favor of an employee or client, let's remove it for a token $20. Ugly society this one is.
I'm with you, companies will always look out for their own interests, but when clarification minimizes logistical waste, it's possible to benefit everyone.
1) Spend $100k in litigation to discover your boss owns the code
2) Get $20
Fights don't benefit anyone. Some companies would act like dicks and "ask for as much as they could get to remove it," but in most cases, that's not what happens either. A company like that would never get repeat business. Coincidentally, some employees do the same, with similar consequences. And there are employers everyone knows not to work for.
Resolving this sort of thing for a buck -- in the way a court would rule -- is really standard common-sense practice.
We did not get any consideration, cash, or gift cards. Instead we were told that if we didn't sign the new company's mandatory agreements, our employment status could be up for review.
Anytime you see stories of "[insert name of rich CEO or politician] takes salary of only $1", that's why. They can't work literally for free, or the rest of the contract becomes nonbinding.
I am not a lawyer and I don't understand this phrase. But many legal systems require that a contract is at arm's length.
So I would, as part of the contract, hand over $1 or $20 to establish that I have skin in the game and have paid for this contract be valid. The consideration could be stock and other things, but it can’t be null.
As a counter example: In many jurisdictions, a work contract that specifically request lots of overtime or forbids working for a competitor in the future would require a significant extra payment and not 1 USD. 1 USD would not be considered at arm's length.
* Contract law does not require arm's length. A contract for $1 is okay.
* Tax law may require arms length.
* I've never heard of arm's length in employment law, but there are laws which lead to what you describe (e.g. mandatory overtime pay, minimum wage, etc.). In some jurisdictions, there are limitations on how much an employer can change the terms of employment. If you hire me for $100k, and after I quit my old job a week into the new one, you give a pay cut to $80k and otherwise change the terms of the deal, that might not be okay.
The idea in systems which have this rule is that contracts are exchanges of promises and there must be an exchange in order to be valid.
Last time I looked work-for-hire law only takes effect if there is explicit mention of the term "work-for-hire" in the contract, otherwise it's not "work-for-hire". And I have never seen a contract actually mention "work-for-hire".
Do current employment contracts state "work-for-hire"?
So that a conventional employee is covered, but a contractor / consultant with a separate business probably isn't.
https://www.nolo.com/legal-encyclopedia/consideration-every-...
Any contract request that includes a small cash payout should merit extra scrutiny.
We met with their CEO+CFO+lawyers and our lawyers. They were adamant they wouldn't pay the last payment. We pulled out our contract and showed they didn't own any of their code because there was no IP transfer in there. They said "We need a minute." We left the room, came back in and there was a check for the outstanding balance in the middle of the table.
[0] https://hotair.com/jazz-shaw/2018/06/01/jury-awards-family-f...
https://www.tcpalm.com/story/news/local/st-lucie-county/2022...
All involved very split juries - so I think the low amount was kind of a compromise by the jury in each case.
> jurors sent a note to U.S. District Judge Aileen Cannon stating “we are deadlocked. We are unable to come to a unanimous decision.”
> Cannon encouraged them to continue deliberating.
Not in civil trials.
Louisiana and Oregon didn't require unanimous juries in many criminal trials either until 2019 and 2020 respectively.
[1]: https://apnews.com/article/a4f065037299491913827b7d8eda9023
[2]: https://www.findlaw.com/litigation/filing-a-lawsuit/trial-an...
I would what cold hard cash, plus I do not want to put a sypware app on my phone for just $10.
I find it funny that their name, CrowdStrike, sounds like an anti-personnel reaper drone. Now metaphorically fits.
This tone deaf offer just reinforces the impression that they are just a bunch of clowns.
Probably bullshit, but honestly... Wtf is up with the name?
Maybe it's controlled by the CIA, or maybe just has a quiet contract with USCYBERCOM and/or ARCCYBER.
I mean, people don't seem that concerned about all of the nuclear missiles and submarines, aircraft carriers, and US military bases everywhere. Computers and the internet are now part of that and have been for quite awhile. If you are invested in this system then you probably want that dominance to continue (otherwise you should probably start learning Chinese). In which case we probably need something like a "crowd strike" widely deployed on the monopoly OS so that we have offensive capabilities.
If you don't like that idea then why use Windows at all? Use Linux at least.
I don't think this is really conspiracy theory territory unless you are in denial that cyberwarfare exists or that the US must participate in it.
...wait
Crowdstrike is sending what? Like 15 $10 cards to the little area in IT that handles desktops/kiosks/atms/etc? Or the to the Cyber area that bought it, but mostly wasn't saddled with fixing the issue?
I just don't immediately believe a publicly-traded company with this many users does something this stupid.
They're trying to use the equivalent of "pizzas for everyone who works late for this crunch!", and consider the matter closed.
That's really not going to work.
More like..."We recognize that we have a moral, ethical, and likely legal obligation to make things right and pay back the damage we have caused...but we're not going to."
The only way I can imagine one-upping the detractors at this point.
Corporate sent us a $25 gift card. Not for each of us, one $25 gift card for a team of 8 people. We had made well over three million in sales that year. Felt like a slap in the face for a job well done.
Specifically, “partners” were getting gift cards and there is no mention of customers. It sounds more like they were throwing around gift cards to channel partners, MSP’s, contractors, etc. It’s still tone deaf but a far cry from a $10 apology to customers.
Other examples include memories of the respective title component of the Berenstain Bears children's books being spelled "Berenstein", the logo of clothing brand Fruit of the Loom featuring a cornucopia, Darth Vader telling Luke Skywalker, "Luke, I am your father" in the climax of The Empire Strikes Back (he actually says, "No, I am your father" in response to Skywalker's assertion that Vader killed his father), Mr. Monopoly wearing a monocle, and the existence of a 1990s movie titled Shazaam starring comedian Sinbad as a genie.
https://en.wikipedia.org/wiki/False_memory
e.g. https://fortune.com/2024/07/19/cloudstrike-microsoft-massive... https://www.standard.net/news/business/2024/jul/23/lessons-l...
Looks like a minority, though it's concerning that Fortune reported it with an incorrect name.