• Logh@lemmy.ml
    link
    fedilink
    arrow-up
    109
    ·
    4 months ago

    Funny how CrowdStrike already sounds like some malware’s name.

    • SkyNTP@lemmy.ml
      link
      fedilink
      arrow-up
      21
      arrow-down
      1
      ·
      4 months ago

      Not too surprising if the people making malware, and the people making the security software are basically the same people, just with slightly different business models.

      • Excrubulent@slrpnk.net
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        4 months ago

        Reminds me of the tyre store that spreads tacks on the road 100m away from their store in the oncoming lanes.

        People get a flat, and oh what do you know! A tyre store! What a lucky coincidence.

      • Eylrid@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        4 months ago

        Classic protection racket. “Those are some nice files you’ve got there. It’d be a shame if anything happened to them…”

  • Carighan Maconar@lemmy.world
    link
    fedilink
    arrow-up
    99
    ·
    4 months ago

    This is, in a lot of ways, impressive. This is CrowdStrike going full “Hold my beer!” about people talking about what bad production deploy fuckups they made.

    • KomfortablesKissen@discuss.tchncs.de
      link
      fedilink
      arrow-up
      18
      arrow-down
      2
      ·
      4 months ago

      I’m volunteering to hold their beer.

      Everyone remember to sue the services not able to provide their respective service. Teach them to take better care of their IT landscape.

      • ricecake@sh.itjust.works
        link
        fedilink
        arrow-up
        18
        ·
        4 months ago

        Typically auto-applying updates to your security software is considered a good IT practice.

        Ideally you’d like, stagger the updates and cancel the rollout when things stopped coming back online, but who actually does it completely correctly?

        • KomfortablesKissen@discuss.tchncs.de
          link
          fedilink
          arrow-up
          19
          ·
          4 months ago

          Applying updates is considered good practice. Auto-applying is the best you can do with the money provided. My critique here is the amount of money provided.

          Also, you cannot pull a Boeing and let people die just because you cannot 100% avoid accidents. There are steps in between these two states.

              • ricecake@sh.itjust.works
                link
                fedilink
                arrow-up
                8
                ·
                4 months ago

                That’s totally fair. :)

                I work at a different company in the same security space as cloudstrike, and we spend a lot of time considering stuff like “if this goes sideways, we need to make sure the hospitals can still get patient information”.

                I’m a little more generous giving the downstream entities slack for trusting that their expensive upstream security vendor isn’t shipping them something entirely fucking broken.
                Like, I can’t even imagine the procedureal fuck up that results in a bsod getting shipped like that. Even if you have auto updates enabled for our stuff, we’re still slow rolling it and making sure we see things being normal before we make it available to more customers. That’s after our testing and internal deployments.

                I can’t put too much blame on our customers for trusting us when we spend a huge amount of energy convincing them we can be trusted to literally protect all their infrastructure and data.

                • bleistift2@sopuli.xyz
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  4 months ago

                  You seem knowledgable. I’m surprised that it’s even possible for a software vendor to inject code into the kernel. Why is that necessary?

                • KomfortablesKissen@discuss.tchncs.de
                  link
                  fedilink
                  arrow-up
                  3
                  ·
                  4 months ago

                  I can put the blame to your customers. If I make a contract with a bank they are responsible for my money. I don’t care about their choice of infrastructure. They are responsible for this. They have to be sued for this. Same for hospitals. Same for everyone else. Why should they be exempt from punishment for not providing the one service they were trusted to provide? Am I expected to feel for them because they made the “sensible choice” of employing the cheapest tools?

                  This was a business decision to trust someone external. It should not be tolerated that they point their fingers elsewhere.

                • deadbeef79000@lemmy.nz
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  4 months ago

                  I’m actually willing to believe that CrowdStrike was actually compromised by a bad actor that realised how fragile CS was.

  • slazer2au@lemmy.world
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    4 months ago

    Now threat actors know what EDR they are running and can craft malware to sneak past it. yay(!)

  • LeFantome@programming.dev
    link
    fedilink
    arrow-up
    2
    ·
    4 months ago

    Who says it was accidental?

    Netflix knew they were going to move from DVD rentals to streaming over the Internet. It is right in their name.

    CrowdStrike knew they were eventually going to _________. It is right in their name.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      27
      arrow-down
      1
      ·
      edit-2
      4 months ago

      You can not like windows, and also recognize that CrowdStrike isn’t from Microsoft - so a problem that CrowdStrike caused isn’t the fault of Windows.

      If that makes me a idiot by holding two different ideas in my head, so be it, but you are spending time with us, so thank you for elevating us!

      • Azzu@lemm.ee
        link
        fedilink
        arrow-up
        17
        ·
        4 months ago

        I’m sorry, but distinguishing between different concepts is forbidden here. You go straight to jail.

      • gnutrino@programming.dev
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        3
        ·
        4 months ago

        I’m waiting for the post mortem before declaring this to not be anything to do with MS tbh. It’s only affecting windows systems and it wouldn’t be the first time dumb architectural decisions on their part have caused issues (why not run the whole GUI in kernel space? What’s the worst that could happen?)

        • jet@hackertalks.com
          link
          fedilink
          English
          arrow-up
          5
          ·
          edit-2
          4 months ago

          I agree it’s possible. But if you’re a software as a service vendor, it is your responsibility to be in the alpha and beta release channels, so if there is a show stopping error coming down the pipeline you can get in front of it.

          But more tellingly, we have not seen Windows boot loop today from other vendors, only this vendor. Right now the balance of probabilities is in the direction of crowd strike

          • gnutrino@programming.dev
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            3
            ·
            4 months ago

            I’m not sure how to break this to you but this is just an internet forum, not a court of law

            • jorp@lemmy.world
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              4 months ago

              The reason courts use it is because they value having true opinions. But you’re welcome to not value that indeed

              • psud@aussie.zone
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                4 months ago

                The reason courts have rules of how convinced one must be to declare guilt is because they dread punishing an innocent over allowing a guilty person free

                We aren’t in a position to hurt the probably guilty party so it doesn’t matter a bit of we jump to conclusions unfairly

    • Cornelius_Wangenheim@lemmy.world
      link
      fedilink
      arrow-up
      18
      ·
      edit-2
      4 months ago

      Because it isn’t. Their Linux sensor also uses a kernel driver, which means they could have just as easily caused a looping kernel panic on every Linux device it’s installed on.

      • YTG123@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        arrow-down
        8
        ·
        4 months ago

        There’s no way of knowing that, though. Perhaps their Linux and Darwin drivers wouldn’t have paniced the system?

        Regardless, doing almost anything at the kernel level is never a good idea

        • ricecake@sh.itjust.works
          link
          fedilink
          arrow-up
          5
          ·
          4 months ago

          Also, it’s less about “their” drivers and more about what a kernel module can do.
          Saying “there’s no way to know” doesn’t fit, because we do know that a malformed kernel module can destabilize a linux or mac system.

          “Malformed file” isn’t a programming defect or something you can fix by having a better API.

          • deadbeef79000@lemmy.nz
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            4 months ago

            Having the data exposed to userspace via an API would avoid having to have a kernel module at all… Which when malformed wouldn’t compromise the kernel.

            • ricecake@sh.itjust.works
              link
              fedilink
              arrow-up
              4
              ·
              4 months ago

              I mean, sure. But typically operating systems don’t expose that type of information to user space, instead providing a kernel interface with user mode configuration.

              It’s why they use the same basic approach on mac and Linux.

        • ricecake@sh.itjust.works
          link
          fedilink
          arrow-up
          4
          ·
          4 months ago

          Security operations being one of the things that is often best done at the kernel level because of the need to monitor network and file operations in a way you can’t in user mode.

    • GBU_28@lemm.ee
      link
      fedilink
      English
      arrow-up
      15
      ·
      4 months ago

      “even on Lemmy”

      Like this is some highbrow collection of geniuses here?