[Info-vax] A meditation on the Antithesis of the VMS Ethos

Sun Jul 21 09:50:36 EDT 2024

On 7/21/2024 8:55 AM, Craig A. Berry wrote:
> On 7/21/24 4:41 AM, Subcommandante XDelta wrote:
>> The problem here is that Crowdstrike pushed out an evidently broken
>> kernel driver that locked whatever system that installed it in a
>> permanent boot loop. The system would start loading Windows, encounter
>> a fatal error, and reboot. And reboot. Again and again. It, in
>> essence, rendered those machines useless.
> 
> It was not a kernel driver.  It was a bad configuration file that
> normally gets updated several times a day:
> 
> https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/

So not a driver.

But I will not blame anyone for assuming that a .SYS file under
C:\Windows\System32\drivers was a driver.

> The bad file was only in the wild for about an hour and a half.  Folks
> in the US who powered off Thursday evening and didn't get up too early
> Friday would've been fine.  Of course Europe was well into their work
> day, and lot of computers stay on overnight.

The impact was pretty huge.

> The boot loop may or may not be permanent -- lots of systems have
> eventually managed to get the corrected file by doing nothing other than
> repeated reboots.  No, that doesn't always work.
> 
> The update was "designed to target newly observed, malicious named pipes
> being used by common C2 frameworks in cyberattacks."
> 
> Most likely what makes CrowdStrike popular is that they are continuously
> updating countermeasures as threats are observed, but that flies in the
> face of normal deployment practices where you don't bet the farm on a
> single update that affects all systems all at once.  For example, in
> Microsoft Azure, you can set up redundancy for your PaaS and SaaS
> offerings so that if an update breaks all the servers in one data
> center, your services are still up and running in another.  Most
> enterprises will have similar planning for private data centers.
> 
> CrowdStrike thought updating the entire world in an instant was a good
> idea. While no one wants to sit there vulnerable to a known threat for
> any length of time, I suspect that idea will get revisited. If they had
> simply staggered the update over a few hours, the catastrophe would have
> been much smaller.  Customers will likely be asking for more control
> over when they get updates, and, for example, wanting to set up
> different update channels for servers and PCs.

I have already seen speculation that IT security will decrease because
patch deployment speed will slow down.

Arne

PS: I don't like the product!