Crowdstrike

[flyingpreacher]

My current job's basic infrastructure is still based off of a DOS-prompt style code and response system and a horrible Windows95 GUI. However, as someone who grew up on a Commdore64, then upgraded to Windows 3.1, and my first laptop had Windows95, this is a very familiar system. My coworkers on the other hand...

 

[Albany Tom]

Why does crowdstrike (and mcafee, and others) make products for apple and linux operating systems as well as windows? Some hypothesis include:

- All the operating systems have security issues and microsoft is no longer unique in having security holes​

- These vendors are selling people products that they don't really need for operating systems other than windows?​

- Managers are buying security products for all operating systems just to cover themselves and they can say all systems are equally protected? (The due diligence comment mentioned earlier)​

​

I go with the first and third options.​

On United Airlines, I can do a lot of reservation functions from my tablet or phone running android or iOS. I'm pretty sure those aren't the same OS they run on the back-end server.​

To the question, you're right, it's 1 and 3. But the risk of an attack isn't just the compromise of the single system. You're correct, all OS's have vulnerabilities that can be exploited. The issue with Windows bases OS's is that they are designed to function in a network environment where the compromise of one system can lead to the compromise of all systems. As an example, I've not heard of a ransomware attack that was NOT facilitated by this Windows specific connectivity. I'm not saying it's impossible, but it's far from the normal.

As to being able to do reservations from Android or IOS, you're correct, that's a great way to do it; and it's a modern way for an entire business to operate. But...many businesses are still running with their employees effectively on the same network as the back end systems that need to be up 24/7. This type of system is typical of an enterprise Windows environment, and it puts the business in a spot where the compromise of one line employee's system could lead to the compromise of the enterprise. Crowdstrike, and other EDR (endpoint detect and response) software is specifically designed to reduce that type of threat. Other technologies that are sometimes used include some type of "zero trust network" that generally attempt to reduce the impact from compromised single systems taking down an enterprise. Entire categories of software and companies have been built around band-aiding this kind of risk.

 

[Albany Tom]

you mean a terminal logged into a remote mainframe? sure there are some gui's for some tasks... but it's all just a front end for some old IBM 360 in a basement somewhere

Pretty much! In the old days, green screen terminals to mainframes were reliable, cost effective, and generally pretty secure. The current equivalent of that we use every day - a computer, of any brand, that uses a web browser, of any brand, to connect to back end servers. Using web based tools for most employees drastically reduces the risk to a company compared to having a bunch of Windows computers all connected together.

 

[T Bird]

Had a Delta flight out of MSP tonight scheduled 6:30p local time, got notification in the morning of a 2 hr delay. Colleague had a flight at 7a cancelled yesterday then he rebooked on an afternoon flight, went to airport, returned rental car, was delayed 3 hours then cancelled. I was tracking “my plane” on FlightAware and it was initially supposed to be LAX->SEA->MSP, saw both those legs cancelled. Then it showed it being an LAX->MSP flight getting in at 10:15p local while Delta kept saying my flight would depart 8:30p with just that initial 2 hour delay. Decided at that point mid afternoon to cancel my delta and book JetBlue Tuesday just to not deal with the ********.

Have been following along since then out of curiosity and they have kept delaying in hour long increments despite the plane arriving from LAX an hour ago, so clearly no crew. Now says it’ll takeoff in an hour but I don’t buy it and think it’ll wind up getting cancelled. Even if it doesn’t, it won’t arrive until like 4am local time at this point. I totally get Delta’s issues with crew scheduling, etc. but the lack of communication and continual last second delays is kinda ******** to me. They’ve known this flight wouldn’t take off at 8:30 all day, as I’ve known that. And if it does wind up being cancelled entirely, I find it hard to believe they wouldn’t have known that ahead of time either.

Even if it does takeoff in an hour, I’m just glad to not be dealing with sitting around at the airport waiting while it keeps getting delayed, risking getting stuck past midnight without bags, rental car, etc. Delta has some explaining to do that’s for sure

 

[Shepherd]

About 15 years ago I convinced a friend to dump everything Microsoft he was using in his business. Honestly, it was a really tough sell.
I installed Linux servers, and employees got Linux desktops and laptops. Back then it was 2 locations in 2 cities and maybe 12 employees. He is now 20 locations in 18 cities and over 100 employees.
He woke me up to tell me the news about the Crowdstrike outage.
He also sent me a gift certificate for $1,000.00.

 

[eman1200]

BEERS ON SHEP!!!!!

 

[AV8R_87]

This guy (retired Microsoft programmer) explains it well. Shocking that they used an update that was presented as data to send in executable code, in order to bypass the slowness of the WHQL qualification process.

 

[Palmpilot]

About 15 years ago I convinced a friend to dump everything Microsoft he was using in his business. Honestly, it was a really tough sell.
I installed Linux servers, and employees got Linux desktops and laptops. Back then it was 2 locations in 2 cities and maybe 12 employees. He is now 20 locations in 18 cities and over 100 employees.
He woke me up to tell me the news about the Crowdstrike outage.
He also sent me a gift certificate for $1,000.00.

Which Linux version(s) do you prefer/recommend? (Looking ahead to the end of Windows 10 support.)

 

[Palmpilot]

An attorney discusses potential liability issues for Crowdstrike.

 

[455 Bravo Uniform]

Their cyber-security software is now acting like a virus...and having a similar effect.

Cyber auto-immune disease? Crazy.

 

[Shepherd]

Which Linux version(s) do you prefer/recommend? (Looking ahead to the end of Windows 10 support.)

I'm a Ubuntu fan for servers.
For a number of years I've been using Linux Mint on Laptops and Desktops. It's based on Ubuntu, so minimum problems with interaction, it's good, but not perfect.
The few times I've encountered a problem I had never seen before, I've, eventually, been able to find someone with an answer.

 

[Mahneuvers]

I'm a Ubuntu fan for servers...

FlightsForBites.com runs on Ubuntu. Pretty happy with it.

 

[Katamarino]

That's because SWA systems are from the early 90s, before CrowdStrike was created.

 

[Rgbeard]

FlightsForBities.com runs on Ubuntu. Pretty happy with it.

What’s a Bitie and why does it need to fly?

 

[SkyChaser]

What’s a Bitie and why does it need to fly?

Why are you being discriminatory against Bities? Why shouldn't they get to fly, too?

 

[Shepherd]

And they are off and running!

 

[Albany Tom]

CS screwed up, that's apparent. But as someone who works with a lot of decent sized software companies, I wouldn't say they've given me any reason other than this latest thing to question their management or tech. The screw-ups in that area are a couple of big outfits on the west coast, and one big British management and IT consulting company. Those folks could screw up anything, charge you a fortune for it, and then swear up and down it's your fault. Just my 2 cents with a few years in IT.

 

[pfarber]

The issue with Windows bases OS's is that they are designed to function in a network environment where the compromise of one system can lead to the compromise of all systems.

Windows originally was not designed to be connected, rather you had to load DOS based drivers to get the network cards to work (anyone remember the IRQ fights you had on the ISA bus?) then use wedge programs to establish a link to remote resources. That all changed with NT.

Now a days connectivity is baked in.. even my dryer has a wireless connection (which I will never use).

Most external attack vectors are via a third party app. Privilege escalation usually occurs because the app is wrongly using a privileged account because its simply easier to code things if your app has 'root' or 'admin' level access. 'Windows' aka Microsoft has no input into how a developer must code his app. Sure there are seals and rules to follow, but I've been tasked with installing vendor apps that were so bad that a few required that UAC be disabled for it to work.

Cloudstrike was not an attack or DOS, but rather poor QC. If you install a broken program don't be surprised that it crashes. It also shows that while Windows does have very strong crash protection, you can still hald the system with a bad driver/app (its amazingly easy to crash an OS with a root/admin account).

The Crowdstrike issue sould have been stopped cold when QC did patch testing. It actually points out the huge cluster **** that is SAS or 'the cloud'. You gave up control of your systems to a 3rd party. Reap what you sow.

 

[Albany Tom]

Windows originally was not designed to be connected, rather you had to load DOS based drivers to get the network cards to work (anyone remember the IRQ fights you had on the ISA bus?) then use wedge programs to establish a link to remote resources. That all changed with NT.

That's true of the original 3.x and earlier versions, which you're correct did not originally have a native network stack. But as you point out that was changed with at least NT 3.51, which was for all practical purposes a new OS, BUT it kept that netbios based stack that they borrowed/bought from IBM, and that was a pretty much zero security LAN solution. And that model has pretty much stuck with them forever. It's not a bad solution for 20 computers and no connectivity to the outside world, but it's just a hack now. SMB outside the datacenter just needs to go away. And eventually, everywhere.

A lot of the time 'cloud' just means 'someone else's servers'. CS missed testing somehow, it seems, but I don't see that as cloud dependent. One of the AV players, McAfee maybe, broke MS systems a dozen or more years ago with something similar. If you're running Windows, you pretty much have to run some sort of 3rd party EDR, and probably a domain backup/recovery solution. To do otherwise reads to me like the Edgar Allan Poe story where everyone locks themselves in a hotel to protect themselves from the plague...except someone inside has it.

Oh - interrupts on ISA? Easy....use 7 or 5, if memory is right, because no software for DOS ever utilized the printer interrupt, and you can share them on any pc I ever worked with. Old guy stuff.

 

[Albany Tom]

On the off chance of bringing this back to close to topic, I'm going to clarify that my comment that CS management didn't seem bad to me, based on my indirect experience working with them, was that sometimes companies just make a mistake. Nothing more complicated than that. To me any discussion about supposed management problems would have to first start with some sort of evidence that they have a management problem, and I don't think one screw up is an indication of that.

Or in other words, CS doesn't seem like Boeing to me. For one, they were out to fix the mistake immediately, and didn't lead with blaming others for their problem.