Posts by Doctor Syntax

"Question remains the same whether you're dealing with Kernel mode or not"

I'd say the question remains "Was Friday's event acceptable or not?"

"That's a good suggestion, but that's not Microsoft's job."

If Microsoft sign the driver in order to gain that access they do have a job to do which is to require it to be able to roll back and do so. Microsoft are a gatekeeper here. If they say that in order to gain access a third party has to meet quality requirements then that third party has to meet those requirements or stay outside.

The only basis for a regulator to quibble with that would be if Microsoft gave itself a free pass not to meet those requirements itself.

"There's no such thing as a last known good configuration if something updates itself outside of the normal Windows process."

If it updates itself it can revert itself to its last known good configuration if it has maintained a copy of that. If it can't then either the kernel should then fail it or, if it isn't designed to do that, it goesn't get the signature to allow it into the kernel at all.

Re: Can an AV be effective if not in Ring 0

Doing hard stuff is what's expected of AV companies.

Re: WHQL

Without ensuring the driver performs adequate testing it should not have been signed at all.

Re: Dave Plummer has a different take on this

"The CrowdStrike driver that processes and handles these updates is not very resilient"

And there's the real problem. Anything with that privilege needs to be very resilient.

Does the driver require signing by Microsoft to be allowed this access? If so then Microsoft need to exert some strict QA before doing so. And, yes, I recognise that there might be a slight problem/irony (choose according to personal preference) there.

Re: The fault's with Microsoft

"Like the way my Linux Mint session is instantly terminated if I set a font to 96pt in Libre Office or Abiword and zoom in once?"

You keep saying that. I just entered A at 98pt Liberation Serif in LO Writer at zoom 100% and zoomed right up to 400% with no adverse effect. This is Devuan/KDE.

Maybe it's systemd? [Ducks]

More seriously, is it a specific font, every font or just some fonts?

Re: Clusterf*ck or what?

"Surely we've got a bit better at IT since then."

We sure have. Now we have lots and lots of SPOFs.

Re: things that are running

Or a Dolly?

Re: things that are running

The nearest traffic lights to me - please bork them. Everyone agrees traffic flows much better when they're out of action

I don't think I'd want anything from any of McDonald's machines but from what I hear perhaps it would fix them.

Sewage systems, yes might be a problem.

But would any embedded systems old enough to have a 32-bit time_t still be working by then?

Re: There's something familiar about all of this...

"Is that even possible with CrowdStrike?"

If it's not then perhaps the DPP should be checking to see if there's an offence under the Computer Misuse Act.

Re: There's something familiar about all of this...

"I am not allowed to lift anything heavier than a dull kettle for 6 weeks."

You should have got the doctor to write a note saying you aren't even allowed to lift a kettle. Then you can get somebody else to make the tea.

Keep well.

It's not just the updater/release process that needs to be improved. This was just a data file of some sort and the S/W that read it fell over taking the rest of the system and the reboot process with it. A program with that ability should reject a bad data file without falling over.

Re: The fault's with Microsoft

Or in this case DTaaS.

Re: There's something familiar about all of this...

There are these old-fashioned things called IT departments. As this seems to be a product aimed at big corporates there's a fair chance their customers still have them. Not guaranteed these days, but a fair chance. The IT department does the test and makes the decision on behalf of its users - and does the roll-out. I suppose they could still roll out something they know will bork all the workstations on the grounds that it will keep out ransomware but at least it becomes a deliberate choice.

Re: Will Cloudstrike be held responsible for the damage (financial and otherwise)

"you're only paying for the right to use this; we don't guarantee anything; if something bad happens, tough sh*t."

Given the impact of this lawyers are going to be looking vary carefully for ways round any such clauses. For instance if this bypasses any controls the customer might wish to make and pushes (or pulls) files in automatically then that might be caught by some provision such as the UK Computer Misuse Act.

Re: Will Cloudstrike be held responsible for the damage (financial and otherwise)

"that might count as negligence?"

It's going to be hard to pass it off as due diligence.

"Who can afford to mix and match security across their systems?"

How affordable was it not doing that?

"They cost money, see?"

It needs to be borne out on Crowdstrike that test would have been an awful lot cheaper. Or possibly on insurers to ensure that those they insure find it cheaper to demonstrate that they are carrying out testing.

Re: The fault is actually systems administrators

"You need to have some trust that some vendors aren't going to screw up your systems."

People did. This happened.

Re: Microsoft to blame, surely?

Every report I've read says it was a data file to be read by an executable. I doubt the .sys suffix means anything very much. My Windows days are long gone but memory says config.sys was a data file.

Re: Staggered releases?

It turns out that not only is time critical, not crashing the customers' computers is also critical. Who knew?

Re: It's kernel-mode

I'm old and cynical so am (a) inclined to ask for evidence of that "only" 8.5 million and (b) inclined, on the basis of evidence of the fact that the file crashing their own S/W, that they released both the file and, previously, the S/W that uses it without adequate testing.

Re: WTF?

Presumably the independent inspection, assuming it's independent and an inspection, will pick up the phone problem in due course. If, as implied, report it in your own organisation with a paper trail to cover yourself when the inspection fails the lift. Alternatively report it to HSE and/or the fire service anonymously.

Re: WTF?

"Queue management to minimise waiting time, especially in taller buildings."

It still doesn't require a regular connection to the outside world. Even if it occasionally needs an external connection for servicing then just connect externally. And don't use a desktop operating system with all the tranklements that come with a desktop operating system.

Re: WTF?

With the ultimately greatest respect imaginable, people often make decisions collectively, not individually. A collection of individuals is called a company.

What's more, they may make them by reasoning to meet widely (i.e. more than just the company) accepted criteria. The reasoning might be impeccable. The criteria, however widely accepted may be wrong.

Re: What did you want to work today?

In regard to 1): didn't Ryanair offering a manual check-in option for an extra fee? And assuming they couldn't take card, the fee could be paid in cash, for an extra fee?

Re: Impact...

"I want a government inquiry into how some third party American company has the ability to hobble NHS services, and UK airports."

But we know that.

1. They all depend on computers

2. Windows has become the standard operating system because nobody ever got sacked for buying Windows in the same way that "nobody ever got fired for buying IBM".

3. Windows has a virus problem

4 Crowdstrike is one of very few AV products being bought by corporates (probably similar reasoning to 2.

5. Windows, Crowdstrike and any other products which are operationally essential and have a virtual monopoly become a single point of failure

Now where, in that chain, are you going to find any specific individuals you can finger as being responsible as being culpable for buying industry standard products.

Yes, it's a bad situation but what is needed from such an enquiry isn't scapegoating, it's a recommended policy to be acted upon (the second half of that is usually the sticking point) to escape from the monocultures.

Re: Microsoft to blame, surely?

"If you cannot code defensively to ensure third party services don't take down your product when they fail, you have no place as a software engineer or a software company."

Likewise if you can't code defensively to ensure your product isn't taken down by your own badly formatted data file.

Re: WTF?

If it's embedded then embed it very thoroughly. Nobody gets near it to install viruses so no AV, no AV updates.

Re: WTF?

What part of "safe" did you overlook?

Re: WTF?

"hiding in the basement."

The one with the sewer release valve in it or the one with the killer robot?

The most important questions you can ask of any form of administration start with the words "What if...?" Unfortunately asking such questions is perceived as "being negative" or the like. If asked such a question and you can't answer it, try to find the answer; it might be important.

Until you realise that the locks are all similar and all prone to the same remote updates. Then the three become one an that's a single point of failure.

Re: Pigs.

I took a look at FlightRadar yesterday afternoon. Traffic was a bit light but still reasonably busy. One thing that struck me when I looked was the track on one of the planes coming into Manchester. It had executed a peculiar loop around Hyde which is where they normally line up for the runway and a following plane had executed a loop a bit further back, neither in the usual holding locations. Clearly something had temporarily held things back. Whether or not it was Cloudstrike I don't know but I've not seen that one before.

Re: Beyond me

Tell me you haven't got the first notion about beyond modern Windows

Re: Beyond me

It's called planning.

Re: Beyond me

"I'm pretty sure that nobody ever considered losing 80% (or more?) of the estate in one fell swoop."

Anyone doing proper disaster recover/business resilience will have planned for any or all critical servers being lost along with at least some of the workstation fleet.

As I keep saying, there's never the budget to do things right but there's always the budget to fix it when it goes wrong.