Cybersecurity @sh.itjust.works Kid @sh.itjust.works 4mo ago

97% of CrowdStrike systems are back online; Microsoft suggests Windows changes

arstechnica.com 97% of CrowdStrike systems are back online; Microsoft suggests Windows changes

Kernel access gives security software a lot of power, but not without problems.

22 comments

"This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,"

Business-speak for "Maybe it's time we started making it not break so easily."
- More like they want to use this to justify locking the kernel from end user change completely, thus enabling them to truly lock down any system.
  
  I'm fine with game anticheats not having root access.
This seems intractible.

Malware scanners want to run at as low a level as possible so they can catch stuff.

Fault-recovery mechanisms want to run at as low a level as possible so there are very few things that can cause a BSOD.

It seems like the only possible solution is “just never make any mistakes”.

Like, either don’t have any vulnerabilities that a user space scanner can’t catch, or don’t ever ship a bad update to a kernel mode scanner.
- Another solution is to accept that mistakes happen and do a phased rollout of updates. Heck, Windows Updates are known to be enough of a crapshoot that every place I've worked at, over the past decade or so, has had a plan for updating systems in batches. That CrowdStrike just YOLO'd their updates out (on a Friday, no less) to everyone at once, shows a mindset which didn't accept that bad stuff can happen.
- An ounce of actual QA and QC work would go a long way, but Microsoft fired their entire QA department years ago, and told engineers that they're responsible for QA'ing all of their own work. That's a terrible policy, but it saves them money, so they like it.
What if they made a kernal that could not be compromised and tools to say exactly what is not a windows component and have people white list background workers.

There is process explorer but make dependencies to the application not always on data thieves.
Just give access to a test environment where the corporate companies can deploy and bug test their update? Maybe some regulation making it required to pass the test environment before pushing the update.
or! or!...Maybe put more restrictions on which antivirus programs will be able to register with the security center?

Like...if they have a long history of fucking up, they get theirs revoked, if they have a history of quality control failures...like crowdstrike does, they get revoked.

If they want to be able to register with the security center, they need to be audited by several different cybersecurity analysis teams that are all completely independent from each other, preferably from different countries with strong data privacy laws to prove that they're actually worth using.

For norton and mcAfee and now crowdstrike and a few others that suck, that means they're going to have to improve massively before anyone will be able to use them...for others like comodo, secureage and other whitelisting applications on par with those two, that means much more business for them.

Like it or not, the majority of the world's computers, including those of which for critical infrastructure around the world run on windows. If you're an antivirus company, trusted enough to be able to register with the security center, you better be ready to prove that you're not going to be worse than using microsoft APT or MS defender with configure defender on MAX...that's an easy bar to overcome, but many antivirus programs, like norton and McAfee and even Avast/AVG now and Avira...I think Avira is now owned by norton lifelock... insist on limboing under that bar.

If you're expecting your product to be trusted, it better be fucking trustworthy. Making an antivirus program that works and works well can literally be the difference between people living and dying. Imagine how many life-saving surgeries had to be postponed because of crowdstrike's lack of QC. imagine how many transplant organ shipments had to be postponed because of this fuckup.

And of course, scammers capitalized on the confusion, put malware links that promised to fix machines destroyed by crowdstike only to install zero-day malware instead...data-stealers, very quiet forms of malware that the vast majority of antivirus products are useless against.

TLDR...GET YOUR SHIT TOGETHER, people depend on their computers for all kinds of things now.
- Nah let admins admin. It would piss me off to have chosen a product just to have Microsoft effectively veto my decision as the machine owner.
  
  If companies are going to buy stuff that crashes, let em. Don’t ask Microsoft to hand hold.
  
  I honestly can't think of any other way to force shitty antivirus programs to improve. Every boomer I know uses Norton or McAfee and refuses to even hear about other options.
  
  Kaspersky is pretty good at protecting the average user from scammers, because they blacklisted remote desktop programs in their malware database, and now that's being banned within the US.
  
  The US government's definition of "compliant" when it comes to something like that will completely cancel out anything good that comes from using Kaspersky, so it's never going to be un-banned and also be worth using
Windows changes

Change from Windows to something else. Boom! Solved
- Crowdstrike also runs on Linux and also broke several OSes there before. The blanket statement to not use windows doesn’t really address the issue.
  
  Can't hurt
  
  Still didn't critically break any of the good operating systems though. Because no other operating system would run Crowdstrike as a critical "must be present" driver.

22 comments