![I’ll get my coat Coat](/design_picker/fa16d26efb42e6ba1052f1d387470f643c5aa18d/graphics/icons/comment/coat_48.png)
$125k in baguettes
That's a lot of bread!
45 publicly visible posts • joined 24 Oct 2018
From what I've read, it affected all Windows hosts (both physical and virtual machines) that had CrowdStrike installed, so a very simple test process would have spotted that. A simple test wouldn't have spotted the dozens of other ways a configuration change can go wrong.
Amato said. "This could have happened to literally any organization that operates the way CrowdStrike does."
No organization, let alone one offering endpoint protection for business customers, should operate the way CrowdStrike does.
It releases configuration changes to all of its customers without testing whether the changes achieve their aims. This seems to be its policy - CrowdStrike's explanation of the incident doesn't say anywhere that someone should have tested whether the new channel file/template instance achieved its aims.
Some organisations have a policy of testing changes before rolling them out but, in an emergency, they sometimes reduce or even skip the testing step. That's not what CrowdStrike says happened. Their normal process seem to come up with a new thing they want to monitor, change a configuration file in a way that looks like it should detect that new thing, run it through the validator and unleash it on their customers, without actually testing whether it actually detects that new thing... or detects false positives... or breaks existing functionality... or degrades performance... or crashes the machine.
I appreciate it isn't easy to test whether the change correctly identifies malicious named pipe behaviour because you either need to use a malware sample or a malware simulator program, but it isn't rocket science. I'm sure CrowdStrike could afford to employ someone who knows how to do it. It could also afford to employ a manager who knows how important it is.
From reading CrowdStrike's explanation, it seems to me there were four main issues:
1) The content interpreter (running on 8.5 million Windows endpoints) can render the machine unusable when it reads invalid data in an IPC Template Instance - this indicates a QA problem in a critical software component and is quite concerning.
2) CrowdStrike's policy is that IPC Template Instances can be rolled out to 8.5 million endpoints without any testing, as long as they pass the checks in the Content Validator. This appears to reveal a staggering degree of complacency by management.
3) The Content Validator contained a bug which allowed invalid IPC Template Instances to pass the tests - this indicates a QA problem in this software component, which wouldn't normally be considered critical, except for the policy of not requiring any other testing.
4) Someone created an invalid IPC Template Instance and submitted it for checking and release. This is an everyday type of mistake which should have been caught by QA processes and tools and, as a last resort, by validation within the content interpreter.
There were other things which could have been done to reduce the impact, such as allowing customers to know what was in each channel file and decide for themselves how they wanted to deploy them but, given that this wasn't part of the business agreement, I think the four points above are the main failings which led to this catastrophe.
I don't have any connection with CrowdStrike, either as an employee/contractor or as a customer/user/victim. I also wasn't significantly inconvenienced by it, as I wasn't planning to use a plane, train, doctor or any of the other services which were affected.
Canonical/Ubuntu have published the following mitigation, which may be useful if you can apply this change faster than you can install the patch:
"Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability."
Copied from here: https://ubuntu.com/security/CVE-2024-6387
Victims of the breach have been offered 12 months of credit monitoring.
It was first detected 12 months ago, so the credit monitoring should have started 12 months ago. I'm fairly sure that didn't happen and they are offering monitoring for just the second year that the data was known to be available for misuse.
I've been corrected about this by a friend whose grammar is much better than mine. He told me that a company (such as Greggs plc) is singular, which made sense once he had explained it.
I generally think of a company as the people who it employs, which is why I often catch myself using the plural, even knowing that my friend would disapprove.
The actual statement on the website is "The annual risk of an individual human being injured by space debris is under 1 in 100 billion."
So it is about a 1 in 13 chance per year that someone will get injured (or maybe a bit less, as multiple people can get hit in the same year).
I don't know where they got the figures from, but they've found some reassuring generic figures, rather than work out the chances of being injured by these particular two tonnes of junk.
Most of us here on earth are far more likely to be injured by a two tonne machine on wheels than one falling from the sky, partly because there are far more of them about.
> That alone is a big step forward for the US legal system where normally these sorts of crimes end with the company raiding the CEO's hookers and blow petty cash box to pay the fine and that's the end of it.
That's trickle-down economics in action. If there are fines, it is the poor hookers and dealers who suffer :-)
> His community service should be having to work for some credit monitoring outfit or something that is largely related to what he was convicted of...
Work that gives access to more personal data? I'm not sure the data subjects would approve of that, especially since most of them only have credit monitoring in the first place because their data was leaked by some careless company.
Not sure what all the fuss is about this feature. I've been self-driving cars for decades :-)
Because that's what it means, isn't it? The alternative would mean the car drives itself, which it clearly doesn't. If the car drove itself, the people in the car would all be passengers.
The sole director of Jackpotcomics Ltd is listed as being resident in the Philippines.
https://find-and-update.company-information.service.gov.uk/company/11963186/officers
The referenced BBC investigation uncovered how tens of thousands of companies were set up, recruiting people in the Philippines to be registered as their directors. I assume they did this because when HMRC realise the arrangement is dodgy, the directors are out of their reach.
I'm sure there are legitimate UK companies with Filipino directors, but this looks very much like the tax dodge identified by the BBC.
The subheading "But it seems the iPhone 6 and SE will be looked after until the end of time" isn't right - the iPhone 6 was dropped in 2019.
The iPhone 6s is a different thing.
Even that is unlikely to be looked after until the end of time, but that's a different matter :-)
The article says BT believes it could achieve a 50 per cent reduction in latency, which isn't the same as a 50% increase in speed. Unless I've misunderstood how they think it is possible, it would require a 100% increase in speed.
The speed of light in a vacuum is pretty fast but it comes a distant second to the speed of light in a marketing pitch.
The bucket effect is expected. The scoring system is designed to be an assessment the severity of an issue so, obviously, different types of issues with similar severities ought to end up with the same score.
I don't generally use the CVSS score on its own. It is worked out from other metrics, such as Access Vector and Confidentiality Impact, and I find these really useful for deciding what the potential risk is to our systems.
We once had a security audit from a firm that ranked their results as Critical, High, Medium and Low with absolutely no consistency as to how they chose the severity. They ranked nearly everything, even things with no actual security impact, as Critical or High, and would not justify that decision. CVSS is far, far better than that arbitrary system. It isn't perfect, however, as the article explains.
The article says everyone should be out by 10. I'm fairly sure the new rule is 11, although they have to make their last orders by 10.
The regulations themselves don't actually contain the phrase "substantial meal" and I reckon you can get away with serving cornflakes.
The Health Protection (Coronavirus, Restrictions) (All Tiers) (England) Regulations 2020 say that the meal must be "such as might be expected to be served as breakfast, the main midday or main evening meal, or as a main course at such a meal."
They're here:
https://www.legislation.gov.uk/uksi/2020/1374/made
Most businesses, when starting, get cash from investors and use it to pay for losses until they start to make a profit. Tesla has done this on a grand scale, having received 6.618 billion USD from investors (as of 31st December 19, unaudited). If you include investments received by its subsidiaries, it is 8.11 Billion.
At this point, it is hard to know whether Tesla will be successful in the business of selling electric cars. It has already proved to be very successful in the business of selling that dream to investors.
I think COKE (and by extension, Coke) IS a registered trade mark.
In the EU, registered mark EU002091940 protects the name from being used for the relevant class of goods:
Class 32 Beers; mineral and aerated waters and other non-alcoholic drinks; fruit drinks and fruit juices; syrups and other preparations for making beverages.
It also protects the name from being used in a wide range of less obvious products, including edible birds' nests. If you try selling "Coke" birds nest soup, you can expect a letter from their lawyers.
https://trademarks.ipo.gov.uk/ipo-tmcase/page/Results/4/EU002091940
There are other registrations for the same name, presumably covering even more obscure product classes.
In December, I ordered some Intel NUCs, only for our supplier to cancel the order in January due to an unexpected chip shortage. They couldn't source the i5 or i7 parts, so I had to settle for i3s.
Maybe our supplier is to blame for accepting an order they couldn't fill, but it demonstrates that the shortage is affecting the iX family, as the article suggests.
I read the article and then it took me a while to figure out why you need more time on amber if you are turning. It has nothing to do with coming out the other side of the junction.
It is because, after a split second of reaction time, you need to make a decision about whether to go or stop. If you are going straight, you have the choice of proceeding at full speed, or stopping. The formula is designed so if you are the critical distance away, you have time to either stop at the line, or pass it at the expected speed. If you are further away, you have to stop. If you are nearer, you have to continue.
If you are going to turn at the junction, you have the choice between stopping, or decelerating to make the turn. If you are decelerating, it will take longer to reach the stop line than it would at full speed, so you need extra time.
"Tsohost - our hosting company - disconnected our Lemonrock server from the Internet early on Monday 10th June 2019. They did this without warning, and later claimed that they had suffered a cyber-attack."
Their full explanation is here:
https://www.lemonrock.com/newhost.php