| Deutsch English Français Italiano |
|
<v7j3na$3u0v$3@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!3.eu.feeder.erje.net!feeder.erje.net!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: =?UTF-8?Q?Arne_Vajh=C3=B8j?= <arne@vajhoej.dk> Newsgroups: comp.os.vms Subject: Re: A meditation on the Antithesis of the VMS Ethos Date: Sun, 21 Jul 2024 09:50:36 -0400 Organization: A noiseless patient Spider Lines: 56 Message-ID: <v7j3na$3u0v$3@dont-email.me> References: <rjlp9jlpbrokm8bpi915s43pidb52s7m9c@4ax.com> <v7j0fo$3k1u$1@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Sun, 21 Jul 2024 15:50:35 +0200 (CEST) Injection-Info: dont-email.me; posting-host="ec7df24485a992a5016b0dbd0af63a9a"; logging-data="129055"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+8FRQtgFmCkFt1UT1CITE/PvEyRwBq8Sg=" User-Agent: Mozilla Thunderbird Cancel-Lock: sha1:dcnOD7UDMD1Z+8aMfrkwX4RMZAM= In-Reply-To: <v7j0fo$3k1u$1@dont-email.me> Content-Language: en-US Bytes: 3762 On 7/21/2024 8:55 AM, Craig A. Berry wrote: > On 7/21/24 4:41 AM, Subcommandante XDelta wrote: >> The problem here is that Crowdstrike pushed out an evidently broken >> kernel driver that locked whatever system that installed it in a >> permanent boot loop. The system would start loading Windows, encounter >> a fatal error, and reboot. And reboot. Again and again. It, in >> essence, rendered those machines useless. > > It was not a kernel driver. It was a bad configuration file that > normally gets updated several times a day: > > https://www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/ So not a driver. But I will not blame anyone for assuming that a .SYS file under C:\Windows\System32\drivers was a driver. > The bad file was only in the wild for about an hour and a half. Folks > in the US who powered off Thursday evening and didn't get up too early > Friday would've been fine. Of course Europe was well into their work > day, and lot of computers stay on overnight. The impact was pretty huge. > The boot loop may or may not be permanent -- lots of systems have > eventually managed to get the corrected file by doing nothing other than > repeated reboots. No, that doesn't always work. > > The update was "designed to target newly observed, malicious named pipes > being used by common C2 frameworks in cyberattacks." > > Most likely what makes CrowdStrike popular is that they are continuously > updating countermeasures as threats are observed, but that flies in the > face of normal deployment practices where you don't bet the farm on a > single update that affects all systems all at once. For example, in > Microsoft Azure, you can set up redundancy for your PaaS and SaaS > offerings so that if an update breaks all the servers in one data > center, your services are still up and running in another. Most > enterprises will have similar planning for private data centers. > > CrowdStrike thought updating the entire world in an instant was a good > idea. While no one wants to sit there vulnerable to a known threat for > any length of time, I suspect that idea will get revisited. If they had > simply staggered the update over a few hours, the catastrophe would have > been much smaller. Customers will likely be asking for more control > over when they get updates, and, for example, wanting to set up > different update channels for servers and PCs. I have already seen speculation that IT security will decrease because patch deployment speed will slow down. Arne PS: I don't like the product!