It's Not Just CrowdStrike - the Cyber Sector is Vulnerable (ft.com) 90
An anonymous reader shares a report, which expands on the ongoing global outage: The incident will exacerbate concerns about concentration risk in the cyber security industry. Just 15 companies worldwide account for 62 per cent of the market in cyber security products and services, according to SecurityScorecard. In modern endpoint security, the business of securing PCs, laptops and other devices, the problem is worse: three companies, with Microsoft and CrowdStrike by far the largest, controlled half the market last year, according to IDC.
While the US Cyber Safety Review Board dissects large cyber attacks for lessons learned, there is no obvious body charged with analysing these technical failures to improve the resilience of global tech infrastructure, said Ciaran Martin, former head of the UK's National Cyber Security Centre. The current global outage should spur clients -- and perhaps even governments and regulators -- to think more about how to build diversification and redundancy into their systems. Further reading: Without Backup Plans, Global IT Outages Will Happen Again.
While the US Cyber Safety Review Board dissects large cyber attacks for lessons learned, there is no obvious body charged with analysing these technical failures to improve the resilience of global tech infrastructure, said Ciaran Martin, former head of the UK's National Cyber Security Centre. The current global outage should spur clients -- and perhaps even governments and regulators -- to think more about how to build diversification and redundancy into their systems. Further reading: Without Backup Plans, Global IT Outages Will Happen Again.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No one likes to spend cash on security. They prefer to roll the dice and maybe have to recover from ransomware or whatever.
Not really - a secure OS won't save you (Score:2)
The vast majority of these enterprises are still using an insecure legacy operating system that nowadays has only niche uses, such as gaming. With nearly all applications being client-server, there's no excuse.
Sorry dude, you're just wrong. That's like blaming an office for getting burglarized for having second-rate inner door locks when the thieves come in with power tools and cut through the locks. Create a perfect OS, they'll just DDOS you....or spoof your site, or cause all sorts of problems you're not aware of, but these companies generally are. These security projects complement best practices in security.
Re: (Score:2)
Sorry dude, you're just wrong. That's like blaming an office for getting burglarized for having second-rate inner door locks when the thieves come in with power tools and cut through the locks.
No burglars showed up and caused this. The locks just exploded.
Re: (Score:2)
So who attacked Microsoft?
Re: (Score:2)
If I made a post saying that management software running with administrator privileges somehow can only screw up Windows, I'd be posting as AC as well. Good call Anonymous Coward not putting your name to something so stupid.
Re: (Score:2)
If CrowdStrike had released a bad Linux driver, it would have been just as bad for Linux OSes. This is not a Windows-specific problem, it's a CrowdStrike-specific problem. More specifically, it's the fact that they were relying on ring 0 access. My guess is that they didn't really need such low-level admin permissions, but were too lazy to figure out exactly what permissions they DID need, and just required all permissions instead.
Re:The real problem (Score:5, Interesting)
No, CrowdStrike on linux uses eBPF, which isolates the kernel module from the rest of the kernel space. Sure, the Falcon sensor service would fail, but the machine would not be unbootable.
Re: (Score:2)
eBPF is available for Windows also. https://github.com/microsoft/e... [github.com] CrowdStrike could presumably have chosen to use it. They didn't.
Re:The real problem (Score:5, Informative)
eBPF is in the Linux kernel since 2014. The Windows version is a work-in-progress first released in 2022.
Re: (Score:2)
So for professional use, I use Linux like 99% of the time.
However, I still boot up the old official work laptop with Windows because:
-Microsoft Teams won't let Linux control a shared screen, and some people simply insist on using Teams for screen sharing to get some remote support
-I had to deal with a really gnarly powerpoint as part of a certain beacratic process that required me to do things not supported in the web powerpoint version
Office may be much more web enabled than it used to be, but MS Office st
Re: (Score:1, Troll)
CrowdStrike is a POS. (Score:5, Informative)
Re: (Score:1)
Are you sure that's Crowdstrike? Sounds like normal Windows 10 behaviour to me (I have not had to use Win 11 up to now).
Oh, and I have just looked at the NASDAQ 100. Biggest drop of the day is something called Crowdstrike Holdings, down 12.22% as of a couple of minutes ago.
Re: (Score:2)
Re: (Score:2)
This brings back terrible memories.
In a previous job I complained that it was putting too many admin teams on the boxes. I didn't like that because the updates happened whenever.
Re:CrowdStrike is a POS. LOL (Score:1)
Re: CrowdStrike is a POS. LOL (Score:2)
Your anecdote would be a lot cooler if we couldn't see right now that it's very low quality software with inadequate testing.
Monopolies in General (Score:5, Insightful)
Re: (Score:2)
Simple, you'd have multiple possible sources of error. Just like how RAID1 doubles the chance of hardware failure. The thing about diversifying is that you may half the number of people impacted but you double the chance that either half is affected.
That's the strange world we live in now. The world shut down for a couple of hours. It made the news. But each individual company shutting down for other unrelated issues happens too, and it doesn't make the news. (Well it does when it's an airline, and that act
Phasing out Windows (Score:4, Insightful)
A good start.
Re: (Score:2)
And doing what? Run an OS that magically doesn't have any software with administrator privileges? Or do you somehow think that other OSes can't be made to kernel panic when privileged software screws up, in which case you really should never ever give an opinion on OS security again - for other people's sake.
Re: (Score:3)
And doing what?
1. Not giving any software permission to connect to the Internet and download updates on its own. That's a recipe for a security disaster like just happened.
2. Not implementing single points of failure in systems which are supposed to be high-availability. It's not just about hardware. Implementing Crowdstrike on all of a company's machines made it a single point of failure. You have to use enough different pieces of software to maintain operation if it catastrophically breaks.
That applies to Linux and Wind
Re: (Score:2)
I can see you've never managed large groups of systems before. If you think anyone is going to use multiple different enterprise security solutions in one organisation you'll be quickly fired for wasting money. Bonus points for thinking that redundant servers can be managed with different unique configurations. I'll bet the biggest risk to an organisation would be you, when you go and do a failover test.
Re: (Score:3)
I worked in the devops group for one of the largest Linux deployments on earth. Literally millions of servers. We didn't use different security solutions but we did not did not did not allow them to update all on the same day.
Re: (Score:3)
Also, you don't build "failover" systems in a credible high-availability design. You build active/active systems because that's the only way to catch mistakes before the secondary systems are needed.
If you design a standby system and expect it to be in good working order when the primary system suffers an outage, you've already lost.
Re: (Score:2)
OS which doesn't allow? So you want to hand over all control to Microsoft then and build a walled garden then, got it. Let's run the world on iPhones.
Re: (Score:1)
Run an OS that doesn't need or allow a self-updating proprietary anti-malware clusterfuck?
I think he means OpenVMS .... maybe.
SD
Re: (Score:3)
Hey, I agree, but Windows being closed source and being a massive clusterfuck enables these kinds of problems with ease. It will only get worse as Microsoft continues to migrate everyone to SaaS. I hope this is a massive wake up call for companies and governments alike. MICROSOFT IS NOT YOUR FRIEND.
Re: (Score:2)
The CrowdStrike issue has nothing to do with Windows specifically. If they had deployed a bad driver on Linux systems, those systems would have been crashing just as much.
Re: (Score:1)
This is Windows speak for I don't know what I'm talking about. Who is they and how can they deploy a bad driver on a production Linux system? Where did they get that driver? How incompetent is this admin?
I haven't had anything like this happen to me in the last 30 years on Linux, FreeBSD or Mac.
Re: (Score:2)
They = CrowdStrike
The implementation of their (CrowdStrike's) Windows agent was created as a driver. That driver had a bug.
If CrowdStrike released a Linux agent, there's no reason to suppose that agent couldn't also cause the OS to crash, given enough permissions (as the Windows agent was given).
"They" (CrowdStrike) wrote "that driver."
How competent is "the" admin? "The" admin has nothing to do with this. "The" admin was instructed to install CrowdStrike. CrowdStrike's agent requires "God" permissions. "The
Re: (Score:2)
Fully agree. There is people that do not understand Windows and the alternatives. These usually think Windows is great and everything else is worse. Then there are people that actually do understand the alternatives. A great success for Microsoft marketing, but a bad outcome for the human race overall.
Re: (Score:1)
Au contraire. It has everything to do with Windows. Without Windows such a product would not even exist.
Re: (Score:2)
If that's true, why does CrowdStrike offer Linux protection? https://www.crowdstrike.com/pa... [crowdstrike.com]
Re: (Score:2)
Simple: Because a lot of IT is clueless, and when they have it on Windows, they think they also need it on Linux. But Linux alone would not have created that market.
Re: (Score:2)
Ah, I see, because obviously only a dumb IT person would ever choose Windows in the first place. Got it.
Guess what, Linux is no paragon of security. Remember Heartbleed? https://en.wikipedia.org/wiki/... [wikipedia.org] That was on Linux, and it was open source, and the bug was pretty dumb (but also not easy to spot).
I realize that Heartbleed was an exploit, and this was just a bad deployment. The point is, every complex OS has the potential to go very, very wrong.
Re: Phasing out Windows (Score:2)
I just read a comment that says their software uses eBPF on Linux where it is mature, but not on Windows where it is not. If that is true then you are flat wrong. But I haven't bothered to do any research.
Re: (Score:2)
I don't know how mature eBPF for Windows is, but it certainly exists. https://github.com/microsoft/e... [github.com]
Whether eBPF is more mature on Linux or not, if you give software enough permissions, it can get itself into trouble, whether it's on Windows or Linux / eBPF. There is no way a framework like eBPF can protect against *all* risks.
What happened to... (Score:2)
...testing on one machine before widespread deployment?
Re: (Score:2)
...testing on one machine before widespread deployment?
I figured my host _was_ the one machine, since it started dropping out before the error's official time. ;-)
Re: (Score:2)
Not any longer. Now it's simply turn on auto updates because they're highly reliable, and away you go.
Or, for those old enough to remember, "Just set it and forget it."
Re: (Score:2)
Re: (Score:3)
That, and testing your rollout to progressively larger production instances, rather than all at once!
Re: (Score:3)
That would be solid engineering. It is a cost factor, and the usual idiots will buy your stuff anyways because they have no clue. Better invest more effort into marketing. Well, until the house of card collapses.
one vendors software can fuckup lots of system wit (Score:2)
one vendors software can fuckup lots of system with an bad update.
maybe if there was more compaction then we may have less systems all useing the same software.
Of course (Score:2, Offtopic)
The fundamental issue is antivirus software has to write dangerously low level, privileged stuff in dangerous languages like C and C++. If Microsoft has sense they'll look at the calamitous fallout of this issue and figure out ways mitigate it. e.g. by mandating use of safer programming languages like Rust for writing drivers, or mandating their own AV mini driver interface that obviates the need for vendors to write so much code.
Re: (Score:2)
Re: (Score:2)
Uhuh.
Actually Rust stops a heap of issues at compile time that C/C++ allows through to runtime - null / freed pointer references, buffer over / under flows by design. If you don't know that, I suggest you stop writing dumb comments and labeling other people as "stupid". Especially in the face of a major outage that caused billions of dollars in losses and was clearly caused by a very low level and fundamental issue.
Re: (Score:2)
Re: (Score:2)
Never said it would have. I said mitigate, i.e. lessen the risk and said "e.g." before Rust to demonstrate what I meant by that. Mitigate means reducing the chance of it happening again. The reality is that a lot of instability in drivers - perhaps the majority - is from the language they're written in. NULL is considered the billion dollar mistake and C/C++ don't give a damn about it, or many other issues. And then there is the quantity of code required to implement the driver that could be reduced with pa
Re: Of course (Score:2)
Tech is hard. Pay me to do it. You can trust me. (Score:5, Insightful)
Also, every business and government was balls deep about, what? 20 years ago?
Approximately the last time anyone thought strategically for themselves.
Re: (Score:1)
Re:Tech is hard. Pay me to do it. You can trust me (Score:5, Insightful)
Well said. The bottom line is that in IT, you can make some decent business with a good product. Or not. But to get filthy rich you need to essentially run a scam.
Risk un-assessment (Score:2)
Race car driver CEO running with scissors? (Score:1)
Re: (Score:2)
DUH! (Score:2)
Re: (Score:2)
It's about compliance, not security (Score:5, Insightful)
Re: (Score:2)
Yes, clearly. Most stupid instance I have ever seen was a completely isolated environment, where they had to put in a backdoor because external audit told them they must have AV in there. When we then told them they not did not have an isolated environment anymore, they did not understand what we were saying.
Re: (Score:2)
The problem, IMHO, is that endpoint security software isn't actually designed to secure endpoints. It's designed to tick a checkbox on some compliance form that says endpoint security is being used, so don't sue us when it all goes pear shaped.
I wish it was that simple. I'd love to just install this on a system, have it spawn a little tender app that checks into the mothership and completes that regulatory requirement.
Don't forget to add a "use an obscene amount of system resources for no goddamn reason" footnote to that checkbox.
Also "dogpile on busy systems" and "increase your Cloud Spend for more resources". Just use tiny print.
A 3rd party vendor will always be the weakest link (Score:3)
This is a wake up reminder that you shouldn’t have an internet connected privileged
binary running on your production systems. What was a bad update could have easily
been a massive adversary backdoor. A third party vendor will always be the weakest link.
Isolate critical systems
Christopher Stanley
@cstanley
TFA Costs $1 (Score:2)
Re: (Score:2)
Whenever you see these stories submitted by "an anonymous reader" that link to a paywalled web page, you can safely assume the blogger who wrote the paywalled story submitted it.
"Products" do not cut it (Score:4, Interesting)
Products do not make your IT secure (or safe or reliable). For that you need skills and insights. IT products these days are as crappy as the vendor thinks they can get away with.
Suggestions (Score:3)
1. Require higher standards of kernel code, to reduce the risk of malware being able to compromise security.
2. Require good instrumentation and security APIs, so that security software can have clearly defined and well-bounded risks that can be clearly understood, and to ensure that modification of the kernel is not required for full security.
3. Require that commercial product vendors be liable under lemon laws for products that could have never worked as intended.
These three would go a long way to mitigate the risks involved and reduce the need for intrusive security software.
As far as Linux and FreeBSD are concerned, it would be financially cheaper for the US government to pay to have both OS' rigorously scrutinised with an eye to fixing security holes and serious defects than it would be to have another day like today.
And as Linux and FreeBSD are used in critical infrastructure that absolutely must stay working, it would be in line with the government's stated aim of securing that infrastructure.
Re: (Score:2)
Re: Suggestions (Score:2)
For code that is free/libre: Defects are the user's problem, but the baseline estimated defect density should be published somewhere.
For commercial code:
For regular activity, the estimated average defect density should be 0.5 per kloc.
For code sold to key industries, this should be 0.4 per kloc.
For code sold to critical industries, this should be 0.3 per kloc
For mission-critical systems (as defined by failure causing death or in excess of $1m damage), code amenable to formal verification by HOL of COQ shoul
Re: Suggestions (Score:2)
The dangers of a software monoculture (Score:2)
“In 2003, a group of security experts—myself included—published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would be interesting to revisit the debate.”
Re: (Score:1)
Re: (Score:2)
I became aware of the problems with a software monoculture on my own several years ago, and I thought I was rather original in my thinking! This Schneier guy continues to impress me at how far ahead he can see. 21 years is forever in technology. Wow.
Will keep this link to prove it wasn't my idea.
I'm curious to see the counterpoint essay, but the link was dead.
Re: (Score:2)
Counterpoint Marcus Ranum [bitpipe.com]
Re: (Score:2)
In 2010? Welllll... ok. I think he was defending monopolistic behaviour myself.
I think the friday outage shows the impact on critical systems a MS monoculture causes.
I'd call that proof enough that there's no resilience in the system as Ranum argues and
we are definitely seeing the effects of blind trust in technology. We've definitely arrived in dystopian territory.
The companies legal departments must be shitting a brick right now.
Schneier is still way out front on this issu
Re: (Score:2)
Always interesting in seeing two sides of the argument. Ranum does have some interesting things to say on The Six Dumbest Ideas in Computer Security [clemson.edu]
Re: (Score:2)
I wouldn't say I'm a fan of this guy's writing style and analysis, it's a bit folksy and light on substance, imho, however he brings up some good points.
"Around the time I was learning to walk, Donn Parker was researching the behavioral aspects of hacking and
computer security. He says it better than I ever could:"Remote computing freed criminals from the historic
requirement of proximity to their crimes. Anonymity and fr
Re: (Score:2)
The Six Dumbest Ideas in Computer Security [ranum.com] (2005)
More companies need to switch to Linux! (Score:1)