kidbomb on Hacker News

With the whole Crowdstrike fiasco, I wonder how IT analysts can properly communicate the risks of having a 3rd party service malfunction to leadership.

For example, most of us operate in the AWS space, and are aware of the risk of regional failures. While some choose to accept the risk, some instead have multi-regional deployments.

Should all these (Saas) tools be listed in a risk assessment matrix listing whether the risk can be eliminated/mitigated, or at least transferred? And if we are accepting the risk, what is the impact?

6kidbomb1y ago4

kidbomb

Recent submissions

$75M Crypto Wallet Bulk Hack [video] (opens in new tab)

A year in the life of a Staff Engineer (opens in new tab)

Prompt Injection Defenses (opens in new tab)

CVE 2025-23266 (NVIDIAScape) – An update (opens in new tab)

CVE 2025-23266 (NVIDIAScape) – A Detailed writeup (opens in new tab)

Contain Me If You Can (opens in new tab)

I Spy: Escalating to Entra ID's Global Admin with a First-Party App (opens in new tab)

Operational Responsibility (opens in new tab)

GPU-Accelerated TensorFlow (opens in new tab)

Attacking UEFI (2017) (opens in new tab)

Direct Memory Access Attacks – A Walk Down Memory Lane (opens in new tab)

Extending our Envoy mesh with staging overrides (opens in new tab)

Man-in-the-Middle PCB Unlocks HP Ink Cartridges (opens in new tab)

Ask HN: Should a risk assessment list all dependent tools?