Back

@mirabilos

Somebody just woke up.

@rysiek

@ParadeGrotesque @rysiek yeah. And I’m seeing all kinds of interesting reactions to something I didn’t know. But web+ap://toot.mirbsd.org/@osnews_rss/statuses/01J354WG7ENFWTKD9K6N20T46D seems to have a good explanation (OSnews).

@lnl @rysiek so just business as usual for Windows users and proprietary crap

@jon

@pnathan this is not a technical failure, this is a systemic failure. The underlying affected technology is much less important than the ecosystem that created that problem.

I do find it interesting you brought up Linux out of the blue. Nowhere in this whole thread have I mentioned Linux, FLOSS, or anything of the sort.

@rysiek
> Let's see if "nobody ever got fired for choosing Windows" still holds a week from now.

Sorry, I flipped the bit on Windows and found a penguin.

I'm not sure I precisely grasp what you mean by systemic ecosystem. The systemic ways of thinking here to my mind all yield things like "don't use workstations" - because the systemic needs for DLP, defense, and various regulatory compliances won't be going away.

@pnathan systemic failure in management on CrowdStrike side, let's start here. Clearly there needed to be better testing of updates, for example.

If we scratch the surface, I bet we find corner-cutting on QA and testing, for example.

I bet we also find a few near-misses over the last couple of years.

And I bet there's an ignored engineering/security memo, sitting in some middle-manager's mailbox, that outlines this scenario and ways to avoid it.

@pnathan the broader systemic problem is that incentives for people who do make decisions in tech organizations simply do not align with fixing such issues.

If I'm a middle manager, getting my bonuses based on near-term company stock and financial performance, why would I invest in additional testing and QA? Likelihood of failure is low, right?

Especially since when shit really hits the fan I can easily blame this on Steve from Engineering, whose name happens to be on the commit message?

@rysiek It's also a question of e&o insurance and the fact that quality is not something biz buyers care that much about. Compliance is about checkboxes. And CS sells, IIUC, compliance.

I feel bad for Steve. I hope he has a lot of savings.

(I would note that I interviewed at CS and their practices were definitely regressive in the department I was speaking with... regressive vs other corps XD).

@pnathan sure. But all these are all also broader systemic issues.

Regressive you say? Well there you have it.

@dzwiedziu right? I tapped into my strategic popcorn reserve!

@billy yup

@rysiek @billy And apparently, normally customers can control the timing, but this time, that was overridden.
via https://news.ycombinator.com/item?id=41003390

@BenAveling @rysiek i didn’t catch onto that bit actually, interesting - i was wondering how my organisation got this update, for we have some specific settings (that bit’s not down to me though)

looks like i’m being invited to some big talks on monday

@billy @rysiek I have repeatedly been muttering that : this could have been worse, it might have been Friday afternoon.
I wonder this will be an opportunity to ask for support for the changes you want to see.

@BenAveling @billy never waste a good crisis!

@rysiek @billy Something like that. The file was misformated, so that caused bootup to barf, reboot, wash, rinse, repeat.
And those files are different for every customers (because DRM), so they must be autogenerated, so something broke the autogeneration or something slipped past the autogeneration, or IDK, is there a 3rd option?

@BenAveling @billy yeah, but my point here is that if the poster calls it "kernel driver update", then the poster clearly doesn't have the full understanding of what was going on.

I am not saying it's all wrong. I am saying: that's a "huh, need to be a bit careful here" moment.

@rysiek @BenAveling it won’t be a kernel driver update because that’s not exactly what crowdstrike does - but it’ll be a file that works closely with the kernel, which is an easy takeaway anyway. it’s hard to go into details on what the specifics are, and i’m hoping for a PIR from crowdstrike to conclude this (i’ll be pressing them for one if we don’t have any info)

but until then, enough has happened today - i’m going to enjoy my moretti and forget things for at least a couple of hours

@BenAveling @billy a .sys file is any file whose name ends in ".sys". It seems that in this case the .sys files that were the root issue – the ones CrowdStrike tells people to delete – are not loadable kernel modules but rather data for the module to process (malware signatures or some such).

@rysiek What's the evidence for that - that they were not signed? @billy

@BenAveling @rysiek @billy They're not signed, and they're not a PE executable.

@dantemercurio yeah...

@dalias right, that seems to be the case indeed.

But do you know if such a definition update is usually distributed signed? I cannot imagine the answer is "no", but…

@rysiek @dalias If it was the case, and pure data updates had less rigid testing procedures, it would explain a lot.
Signing wouldn‘t have prevented it then, what would have is a more holistic test approach with every data update, or finding the existing bug, or a form of error handling that doesn‘t break a whole operating system.

@kmetz @dalias yeah. But if @GossiTheDog is right, and I have no reason not to believe him, the signature file from different b0rked customers were all garbage, but *different garbage*:
https://cyberplace.social/@GossiTheDog/112812260542179660

Which would suggest that either:
1. data files were not signed, relying perhaps on HTTPS for integrity;
2. the signature verification code is what crapped out on garbage data.

Gossi also claims that "the files aren't signed":
https://cyberplace.social/@GossiTheDog/112812317243841396

Which would mean 1.

@rysiek @dalias @GossiTheDog Ok, you meant signed for end-to-end transport integrity (not eg. by Microsoft for saying „we approve this“). That could have obviously prevented it.

To add a 3. to your points, data files could be supposed to look different locally (maybe locally encypted) for some reason, but I guess that would have been already noticed by @GossiTheDog

@rysiek @dalias @GossiTheDog So… then an even more holistic test approach of phased rollouts, starting with own machines in different regions behind different CDNs and such, would have prevented it.

@dos right. But one would assume that the update was at least signed by CrowdStrike?

@rysiek Well, you linked to someone who claimed it wasn't. How trustworthy that report is? You tell me!

@dos I don't know, which is why I am asking for further confirmation.

@rysiek @dos config/update files typically wouldn't be signed and wouldn't make any difference if they were as that just validates what you sent is what you got. And if you send crap that kills the parser.... unlucky.

@joearisia

> wouldn't make any difference if they were as that just validates what you sent is what you got.

I have seen things that suggest the CDN that CrowdStrike uses b0rked the files. I have also seen people mentioning that on different b0rked systems the files that were installed as part of the b0rked update were all *different* garbage.

If these are true, signing and verifying these signatures could have prevented both of these.

Hence me asking about signing.

@dos