✅ Get the FREE Software Architecture Checklist, a guide for building robust, scalable software systems: arjan.codes/checklist.

Your kernel is crashed. No malicious code can be executed. Your computer is completely protected now. Thank you for choosing our company!

I think the even more fundamental problem here is the security software mono-culture. I know CrowdStrike is big, but honestly, I was surprised when I heard in the news how broadly sweeping the impact was across companies and even across industries. If everyone's using the same software, that provides a ripe attack vector for hackers. 😒

It's partly about $$$ and partly about how everything nowadays is expected to happen with speed. Back in the day (30 years ago) I worked for a bank. We maintained a very large enquiries counter system. Before anything got pushed out to branches, it was tested for weeks. We had dozens of test engineers and they would run through every conceivable action. Then and only then a release would happen to a local branch. This would be tested in the wild for a week. Then a small group of branches for two weeks, then a larger group, then finally the main group. The result was that very few (if any) show stoppers made it to production. This meant a slow cadence of releases though. Also this was a large project with extensive management backing, so the cost was not really a factor (within reason). This type of behaviour would never fly today. Everything has to be done on the cheap, with minimal testing, just "get it out there". I call it the "just get it f**king done" attitude - this is very common nowadays, especially among MSPs.

So we have the CrowdStrike option ENABLED so CrowdStrike won't release the latest version of their software to use (we stay 1 version behind) - apparently they don't actually even check for this so we got it anyway. Absolutely shoddy development :(

People seem to be overlooking the glaring fact that they pushed an update that was corrupted or checksum failed which means there was a wide open vulnerability that allowed man in the middle exploits or injecting code with modified files directly into the Kernel….

The CEO of CrowdStrike, George Kurtz used to be the Chief Technology Officer of McAfee in 2010, when a security update from the antivirus firm crashed tens of thousands of computers.

My career has been leading engineering organizations. This is not a new issue or a unique issue. Bad driver code crashes systems. Because of that, the industry has created well known and effective ways to prevent problems. You've listed them. The issue here is a company with wide spread driver releases that failed to follow those practices. The free market has created a process for handling that and it is called competition and consumer choice.

Most surprising is that PCs still don't use A/B installs of the OS, where you use one copy and update the other copy, then switch over to the updated copy, and you can switch back if the update failed for some reason. With disk space so cheep, you'd thing every Linux/Mac/Windows PC would use that by now. In Linux at least you can revert to a prior Kernel version.

The Crowdstrike disaster hasn't struck because they needed to move fast, but because they obviously haven't tested this specific update on a single Windows machine. Because if they did, they'd immediately noticed it would crash. And they made a similar mistake already in April. That time it could be somewhat forgiven because it only occurred on two distributions of Linux which hadn't been in their test matrix.

A mechanism rolling back an update after X number of failed boots/etc would help a lot here. My router does this, it keeps a copy of the old firmware it can automatically revert to in case flashing a new firmware image bricks it. SUSE's MicroOS does similar by having a stateless OS and transactional updates that are snapshotted in the BTRFS file system. If it crashes and reboots, it'll automatically rollback to the snapshot before the update while preserving user data.

But you can have it both ways: it's called rolling updates. You don't deploy software to a billion endpoints in one go.

This is a reminder of how fragile our IT solutions are. Imagine a solar storm occurring and the devastation it would cause! We need a plan B for critical infrastructures to always be in place!

Something that needs to be more highlighted from this issue is that companies have in recent years been offloading their IT resources but are still adopting external, overseas-managed (i.e. managed in the US) solutions. Companies should always have an in-house team ready to respond to system failures. Informed, careful companies would only have had a couple of hours of downtime...

I want to add that the fact that CrowdStrike is so widely used makes it a target for bad actors, and perhaps how it operates internally, which seems to be monolithic, is also a problem. We also do not know what government and military systems were affected by this "bug" . Regardless of other bad practices that were at play, CrowdStrike itself may want to consider a lessre and perhaps break up its platforms into shards, such that entire industries are not a impacted by one bad software update or a bad pod

The issue essentially is that there is a kernel-mode driver - no doubt WHQL certified - that is running uncertified p-code from installable 'definition' files, so that a bug there will cause the kernel-mode driver to execute bad code, and bug-check the system. Perhaps the kernel-mode driver needs better checking and self-defence - could the WHQL certification process require this?. The 'fix' is to gain access to safe-mode, boot without the driver, and then remove the installable definition files, so perhaps a system should identify crashing 'boot-required' drivers and sideline them if they crash repeatedly.

Humans tend to think they can sacrifice quality for speed, which works for some time and then fails miserably. It's a bit like the uncertainty principle, there is a fundamental limit that cannot be cheated.

So, basically Crowdstrike could not even secure itself against itself. Well done Crowdstrike, well done! (Slowly clapping) To Microsoft, get rid of Crowdstrike, no IFS and no BUTTS!

Was there any test in canary environments? I guess not and how long does it take to test in canary? I cant understand a company like crowdstrike overlooking best practices.

I find it utterly incredible that they don’t test the update on a sandboxed system before sending it out.

One (partial) solution is to have a backup computer, that stays a version behind or a few days and only comes online if the main server stops responding. It would prevent this problem and could only be exploited in case a hacker could take down the most up to date server. You could even rotate the servers, so you update 2 versions each time. Another solution is to have canary distribution with faster turnaround. Set the most secret systems to have the update first, have the next group within an hour later etc. It means you make your last group vulnerable for a few more hours, but you give them the peach of mind that it was tested for a few more hours and is unlikely to crush that fast. Last solution is to disconnect systems from the internet. No computers with internet connection means no attack surface, and you can still work offline or maybe even with others on the same network. Keep the protection system guarding the gateway, maybe even keep several layers of different software at each layer, but leave the inner network isolated.

I thought this was one of the lessons from COVID: resilience is important as efficiency.

Good video but everyone seems to ignore the fundamental problem. How do you compile source code into a file of binary zeros?! At least if it had been a null file the size would have been noticed.

This was an embarrassing failure for Crowdstrike. All they had to do was test their patch on Windows PCs prior to release, and they would have seen those PCs blue screen. They could have fixed the issue, tested again, and THEN deployed. The more devices you’re responsible for, the greater the duty to test prior to deployment. This was negligence, pure and simple, and there should be a class action suit against Crowdstrike for the damages they caused. Such a suit would destroy Crowdstrike, of course, but that’s as it should be. Our world needs to deter this negligence in the future.

All great points, Arjan, and I agree with them. But you left out a biggy - companies want to make as much money as possible so they cut corners everywhere. You did lightly touch on time by saying sometimes you don’t have the time to create a proper fix for a threat. I agree, but there’s another time problem. To companies, time = money, so the time allowed to work on things is cut right away even when there isn’t a looming threat. Remote updating is a godsend for companies. It lets them ship a product that is incomplete and flawed thanks to time and money restraints. Them as the product is completed/fixed, the current installations of software are usually automatically updated without the knowledge of the user. These issues and all the ones you mentioned are breaking software. I’m afraid of AI, not for the reasons most people cite but because software code is garbage in this day and age. Why would AI software be any better?

In the good old days we had big mainframes running code which took checkpoints and did automatic rollbacks upon failure. They were replaced by lots of networked Microsoft boxes.

That unfortunately goes beyond IT infrastructure cost… harmonization of process and procedure… CrowdStrike, Boeing, cars breakdown… all those stuff are driven unfortunately by cost reduction and profit optimization … We are unfortunately only seeing the top of the iceberg and I am pretty sure we are only at the beginning of it … I wonder what will be the next big things …

Business culture breeding and promoting incompetence is a huge issue in all large companies

I think this is interesting case that software design decision to build monolithic kernels 30-40 years ago is showing it’s consequences today (Linux, Windows etc.). Prof. Andrew Tanenbaum was trying to convince software industry that micro kernels are better for reliability and security, while sacrificing some performance. Looking back this is my best guess that by going with monolithic kernels we build whole security industry around it because of security flows that can be there by design.

CrowdStrike has shown that it has become the biggest threat to security

When you expect something to work all the time in all circumstances but you can't define what all the time actually is or what the specifics of circumstances mean, you have unrealistic expectations. That is something each individual has to learn those willing to be realistic will have an easier time with less severe consequences learning that.

My rage at everyone downplaying this for CrowdStrike is immeasurable. This is a billion dollar company, with a B, trusted by critical government, public, and private services and they shafted each and everyone. The lack of outrage from our authorities is absolutely disgusting. Speaks a lot to the state of cybersecurity and tech in general

It's not a software problem. The decisions CS made was a tradeoff for functionality. The real root problem is policy. If you're a company running an EDR or even certain AV, you MUST build out a redundant infrastructure - specifically to mitigate bad updates. Which really just means if a system can run on 1 machine, you deploy at least 2 AND run different EDR or AV on each system. If 1 crashes (like last week), no big deal. 2 is 1, 1 is none.

I for one always saw the possibility of something like this happening, hence my reservations against automatic forced background software updates, which would sound shady AF in the 90s while today a widely accepted daily occurence. Don't get me wrong it has its advantages but something like this case was always in the ards.

for serious bug or zero day bug -- CrowdStrike should have simply disabled inbound traffic to the host (other than itself) and work on fix and roll it in limited manner. If it succeeds keep rolling it.... Would you fly a plane with this type of method? We ground planes immediately when there is threat -- but we treat security threat in computers in slightly business-as-usual method and take chance. This may change it ... Act first, disable and then push changes

Most threats do not require an immediate response level, for many a canary release mechanism based on system criticalness level 1) deploy to non-critical systems (grocery stores, small businesses, gas stations, government) 2) wait 36 hours 3) deploy to mid-level critical systems (banks, financial institutions) 4) wait 36 hours 5) deploy to critical systems, (hospitals, pharmacy's, airports) For the defcon 5 threat level scenarios, then perhaps use the shotgun approach.

A lot of the developers who are doing shoddy work don't know that they are. They may be incompetent, or they may not know the codebase as well as they think they do, or the codebase may itself be a ticking timebomb, full of patches and poor decisions that effectively hide a myriad of bugs. The industry is absolutely broken because it is full of people who are completely unaware of best practices and solid patterns, relying instead on their own unstructured learning that has gone unchecked for decades.

You aren't thinking through the problem sufficiently. There are two ways to solve this issue at the kernel level to prevent these kinds of problems with monolithic kernels. 1. Build a subsystem that if the kernel panics, reverts the system to the last known good configuration before the crash. 2. Build a driver subsystem that insulates the kernel from buggy or bad drivers and lets it continue to operate. This was the idea behind nooks written by Michael Swift in 2005. Either architectural change would build resiliency into the current OS kernels humans use. For whatever reason, no one is doing this. Their answers are always develop better drivers and they put these best practices into place and along comes some company like cough, McAfee, or cough, Crowdstrike who bring Windows systems down. People get angry and pissed because of ruined plans or lost money, but ultimately, nothing significantly changes because someone at Microsoft/Apple/Linux Foundation doesn't want to pay to make their OSes more reliable.

Well, the way you solve this is to keep doing what you are doing. Keep teaching and preaching good practices with your videos. You never know the second and third order consequences of your good work. Keep it up!

Add poor patching management in the companies: never apply patches directly in production without testing it in lower environments before...

One main thing that allowed CrowdStrike security software to crash the computer operating system was the fact that this security software must be installed as a device driver operating at the high privilege level of the operating system kernel. Normal program software running at a lower privilege level should not be able to crash the operating system.

I think one of the problems is this automatic update culture

What’s the cliché say about putting all your eggs in one basket?

There is (should be) a standard pre-release test even for time-critical security software: The test should be that the target operating system can at least boot to a point where the updater can allow new versions of the security software to be installed. The test should be run twice: once on an instance that keeps upgrading the software and one on a freshly installed operating system. If just those tests are implemented then, to an extent, you can rush the rest because fixes can be sent out to clean up errors. This test doesn’t need re-writing for each instance of the software. Other tests (does it block the malware, does it not interfere with critical applications, ...) can be run after launch because errors can be cleaned up automatically. There is room for subtlety here: a customer might sign up for the pre-application-testing version or the post-application-testing version. Perhaps they do their own testing. Perhaps they have made a risk-balancing decision. This sounds so obvious. Hindsight is a beautiful thing.

Mark Russinovich retweeted using Rust instead of C++ for systems programming, "for no particular reason".

This failure was quicker in onset and damage than Solarwinds. Diversity in systems …NOW! Need to build heterogeneity into the system rather than homogeneity.

So your argument is that there was an imminent security threat that the update addressed? Is there any evidence of that?

As an IT expert, all my life windows has always been a problem, always presents some kind of problem to begin with. We need a new operating system that can replace windows that can be tough trustworthy.

Error checking and error handling design. Don't trust data coming in, and don't trust data being returned from functions. Really don't trust the user.

anyone consider how a single company can affect so many systems single handedly at kernel level worldwide. Does that mean a single bad actor at the company has the potential to compromise those same systems globally with a silent malicious payload without anyone knowing or even noticing thanks to the default automatic update to the bleeding edge build version?

Maybe the kernel security layer should be virtualized, so that a corruption of the kernel can be quickly be switched off. Despite the claimed need for such deep access, if companies like Crowdstrike can corrupt the kernel, hackers (including nation state actors) could the same, or worse. At least the Crowdstrike bug just crashed the system, but other bugs can subvert it.

It was not a security issue. It is a management issue. Perhaps MBAs should not run engineering orginizations.

It seems to me to be the old problem of shutting the gate after the horses have left. What's needed is to have a kernel process built with a number of 'gates' where the system will not continue past a gate unless it passes its constraint and then to have a error 'fail safe' that allows the system to execute in safe mode so any changes can be made to restore operation if the gate fails. This would have saved CrowdStrike. Further, the system should be based on an identity management framework where identities/entities and permissions can't be pivoted or navigated out of to other entities. At the kernel level and beyond. All operations should check credentials before executing programs. This is easy to do if there is a relationship between the entity requesting access and the entity controlling access. No relationship, no access.

There is no Silver Bullet.improvement within a decade in productivity, in reliability, in simplicity.” • - Fred Brooks, 1986.

Knowing these questions is important. Actively listening to industry experts and less to corporate experts (They only lead to better return on invest, and now that is AI). This event should be a wakeup call, but I don't think people with think of it like that.

CrowdStrike hit linux few months ago, too, but nobody told anything since impact was smaller CrowdStrike also was able to force such upgrades. Plus, we can have both w.r.t tests and velocity, ContinuousDelivery main front person, Dave, told it as well :)

doesn't help that the newer versions of windows doesn't allow you to roll back the update without it trying to reinstalling right after removing it

The driver code itself was not updated, but rather a "channel" file that contained attack detection templates was pushed out with all zeros. The driver contained faulty template verification code that allowed the broken file to be parsed, and this included what should have been a valid pointer offset value. The driver then dereferenced a bad pointer and crashed the system. So really, if they had more thorough testing of their core code, they could have prevented this.

Why couldn’t Windows be written to quarantine any driver that behaved like crowdstrikes? Wouldn’t that have allowed recovery to be quicker?

If this clusterfuck has showed one thing, that is that important companies and instances can’t cope with disasters. There are no manual backup processes in place. And it’s not only computer systems that can fail but also long power outages, internet outages. Long traffic problems that disrupt goods from going where they need to be. We need to not rely as much on government global infrastructure but decentralize systems. Back when I was in the energy business, I was propagating for small pebble reactors for towns or larger neighbourhoods. Instead of massive 1GW nuclear power stations - the bigger the more complex and the more material is needed. Whereas small reactors are simpler to build and even safer. Russia understood this and they are moving in that way. And it also is great against acts of war. Taking out 4 or 5 power plants and you disturbs all of the industrial areas of the Netherlands. Taking out 50-100 smaller ones is a lot more of a hassle. And we should use cash cash and more cash for our daily shopping. And we should actually buy locally from local farms much much more.

NSA has better access to kernel than CrowdStrike. Let that sink in. 😂

Technical glitches can happen. The fundamental problem is not technical. It’s managerial. The “business continuity “ planning does not exists anymore. The critical systems and industries must have redundant and durable systems. All the eggs are in the same basket unfortunately.

As a software engineeer myself: - To less time: to test, to build well/refactor, to rebuild legacy code. Deadlines pushing bad/not well tested software into production. - To much stress because to much firing/people leaving and rehiring all the time. And with the problem the knowledge of parts of the software is gone. - A lot of bad managers in the IT world, who make the above happen - Companies see software development/it as a cost instead of a win: For example in some companies i worked sales persons get bonusses when they make enough sales selling the software, while software engineers dont get anything. - There is not a real easy to see how good/bad a software engineer have been working for managers/people who cant read code. And because of this most companies only look at speed. Not how well software is written. This have been happening for a very long time in lots, probably most companies. With legacy code that isnt workable anymore and very hard to maintain. And should have been replaced years ago.

In part you want to avoid single points of failure. So don't run all your systems using the same security software, the same base OS for all parts of your systems. A more diverse collection of systems is less likely to go down all at the same time. Crowdstrike for sure isn't the only provider for these kinds of services, and for sure they won't be the first (or last) to introduce bugs in kernel drivers. There are sufficient opportunities for shit to hit a fan. On the other hand: Apple removed access to the kernel for all third party software. That may be needed for Windows as well, with an API to perform these tasks from user space rather than inside the kernel. And crowdstrike needs to have better processes for developing their code, but they are not unique there.

That's taught us again. SDETs are important part of our software life cycle!

Staged/canary releases should be obligatory unless imminent danger at which point the government should be involved. It is totally ridiculous that millions of PC's install kernel patches that have not even been checked on a starting group of a few thousand computers for at least one or two days. In this case there was no imminent great danger that absolutely required all of the millions of PC's to be updated within a few hours.

All parties need to fix this broken system: - Security companies cannot ever force push without testing. - OS (special MS) need to improve all aspects in this scenario with lots of new well documentated automated testing/check tools for multiple steps in the process. - Essensial companies cannot trust blindly on updates without basic checks, and MS should not be the only OS running if you want to make sure that you online all the time. We need better software build for failure special for essential compatines that cannot stop. If companies do not fix this on all levels it can open a new door for failure.

The promise of Continuous Delivery (as Dave Farley explains so often) is that you can release quickly and safely *because* you have a lots of tests. You work in small steps to achieve that. There might be an imminent threat and we will have to make a big change to our software to deal with it. You are back at square one: How do you know your change actually deals with the threat? Oh, that's right: By testing. If you say you need to skip that phase you don't believe in testing in the first place. If you skip that phase you get *something* to the market quicker. But will it help? Or are you pouring oil into the fire? The practice of continuous delivery with TDD is the best insurance that your software stays flexible and easy to change so you can deal with such problems quickly when they arise suddenly.

First, there is *no way* someone else's driver should be pushed to *your* customers. Second, if it is pushed, protect it with the software stack equivalent of a try catch. If that takes too many resources, have it remove the try-catch guardrails via something like a manual group policy push. But people focus too much on non-scaled performance. If a driver takes 10% more of your computing power by being outside of the kernel, that should be a choice you can select as the customer.. and in most cases you should select that. I remember when.. Windows XP? crashed becuase of a bad graphics driver.. I was pissed, since the performance hit caused by being outside the kernal wouldn't affect what we were trying to use "NT" for. Kernel's should have the option (or by default) be as slim as possible.

This one feels off.... Opposing speed of development to quality. Hasn't that always been the case finding the balance between stability and throughput ? Isn't that the whole idea behind DevOps? Making sure that rigorous testing and quality isn't an impediment to rapid delivery. Making sure that it is part of your standard flow not a heavy process but sufficient guardrails that you can quickly release and just as fast rollback... I am still curious to see more post mortem info on what went on with crowdstrike but I am not sure testing could have caught this one. Canary releases maybe but anyway still waiting to know more.

A rant about this is perfectly fine. We need to speak the truth if something clearly goes wrong. To remain silent, not wanting to be "negative" in such a scenario would be wrong, it only strengthens the wrong approach and thinking. The responsibility of a software engineer includes detecting problems early, thus avoiding them in the first place. This is an essential part of implementing a good solution, by avoiding a bad one. CD is exactly about that. It is not rigid at all, don't fall into that trap. To bypass good engineering practices is never a good idea, especially at this scale. CD with all its techniques supports fast incremental progress into production. It can raise software quality dramatically, minimize defects, and it also does prevent desaster, both with respect to releases and to the intrinsic quality of the product. A failed integration test with a widely used OS obviously would have prevented this. The choice here is not whether to allow a quick release into production or not (good CD practices even speed up the release because a high degree of automation is included), BUT the choice whether to apply CD best practices or not is this: Do you want to avoid desaster and be notified as early as possible that you have to fix the software before deploying it ... or do you really want to deploy a bug into production if you could have detected and fixed it before? To apply CD is not about preventing a quick deployment. It would have been about preventing the release of a problem in this scenario. If people experience problems not being able to release quickly when they have to, then they DO have quality problems with their software or with the system architecture or they do not have enough understanding of CD and how to apply it correcly. They then have to improve their engineering skills instead of accusing the necessary and professional techniques which they have not mastered. Incompetent people in charge making decisions under pressure, or for whatever reasons, are the actual thread. It is not "AI", but yes, the thread is also about intransparency and lack of knowledge. "AI" is a marketing term, nothing more. If a software can detect patterns and even learn to improve the detection of security problems, that is perfectly fine, whatever techniques or tools it uses. The internal mechanics of a software are never transparent to the "end user". This is normal, whether "AI" is included or not. But yes, we do have a problem if engineering is done without exact knowledge of what is going on. The ongoing loss of culture, education and priorities is the actual problem, not the use and integration of technology itself. When I notice software "engineers" using the term "AI" internally and following the same belief system, that scares the hell out of me. Technology is not a thread, but inkompetence is, and always has been. There is a clear answer to the question of how to solve the global problem: Education, thinking, acting with a sense of responsibility and the right priorities as human beings. Now this may read strange, but what that means is this: Stop cheating. If you do something, do it well for the sake of what you are doing ... money must never be the top priority, money is not even real. It is a mental construct to make exchanging things more efficient, by comparing the value of things. This requires balance to work. Subtract or add the same on both sides. This is simple math and obvious stuff. If you see money as something to be maximized, then this is abuse of the limited resources we have and of other human beings, of your very own species. Magic does not exist in this world, money cannot be "generated" from nothing. The law of coservation of energy is a fundamental law of physics and it of course applies to everything, including life itself. For every shortcut and for every selfish act, someone else will have to pay the price. Is there a problem with a software which breaks encapsulation, to access the Kernel of an OS? Yes of course. Does it have to do with EU regulations, forcing MS to allow access to a protected layer? It seems. But the root cause of this may be unfair economic practices to exclude others from "competition". Or it is pretending that a successful company does so and thus invading their space, for the sake of making money. It does not matter which side is right there. That is fundamentally the wrong type of thinking. The actual root cause is a wrong definition of "success" which has invaded our culture in a very harmful way.

That is the question of proper, profit-related system administration. Companies layoff their system administrators, turning all updates on automatically ? So they got automatic crashes like that. Big companies should have system administrators to manage infrastructure maintenance, grow and updates safely.

Surprisingly, my employer was not affected. After all, our IT usually doesn't leave any chance to screw up pass without making good use of it. But we are affected by supposed "AI securtiy software". Some years ago, they changed from a common rules based antivirus to something that supposedly uses AI. And it is so terrible. One thing it likes to target are programs that you just compiled (even a simple "Hello World" that you used to test if a new compiler version is working), parts of development software that we have used for ages, and now it even stopped attacking another supposed security software (we think it is just something they use to monitor what we do) that supposedly filters web traffic. Yes, it deletes that software as well. Of course, this is all just stuff that has an effect on individual workstations, not on a global scale, but it is so annoying...

Shows how a product that works 99.99% of the time makes one mistake and it all goes to hell

The reason the world is so fragile right now is because of a) tech monopolies and b) efficiency over pragmatism. Why does MS have such a large share of the corporate market and why aren't our various regulators challenging that? In nature, monoculture ecosystems are the quickest to be killed by disease. And why does everything have to be automated to the point where there are no humans in the loop? Mostly to be more "efficient" and reduce costs - at the risk of much more expensive black swan events eventually coming to ruin your day.

I imagine Monte Carlo like testing methods are going to become more common for testing critical software, as demonstrated by the TigerBeetle database team. The bug was from dereferencing a null pointer. The channel Low Level Learning had a video on this. I saw another video on this saying it would've been very difficult to catch this in testing (I don't recall why). Clearly automated testing needs to be improved to have higher odds catching such errors.

I'll just say there is no reason this software would have a need to "quickly deal with a security threat". The software itself is a security threat. It should be removed from all computers, and the company should be disbanded. See videos from people who have analyzed their driver, and how poorly it is validating its virus definition files. The download of a bad definition file caused this crash, NOT a driver update. Because they wanted to bypass the driver update process.

This is called “Experience”

That's what you have when you have no patch management or change management process. Microsoft does not have one. It has the public to do that for them.

It's often the case that management decides, even before software has been properly tested, when it will be released. Tests might find flaws that require changes to the code, followed by new tests that potentially find flaws in the revised code and require even more software changes. Management has to wait until software passes all tests before deciding when to upgrade.

I thought this all was a long-winded setup for "I wrote a free book about how to be a senior software engineer" It's like "How do we solve all those problems? Well, I don't know, but I wrote a free book about how to be a better software engineer" 😆

One root cause of issue is that bullshit security, having a lot of complexity and adding more complexity in form of some security application. In reality when someone want to make reliable system amount of complexity is minimized. That is why critical places all unnecessry "moving parts" are removed and system is locked down tightly. It can be even better if code is formally verified to avoid bugs. Humanity has knowledge how to do this correctly. I even have alone the knowledge how to do it. Instead we see bloated software stacks, dumb IT who thinks that end point security software should be installed on critical, dedicated system. Or dumb insurance company who require it. One issue is also that today 95% of software developers don't even know how computer works. There is lack of deep knowledge and software developers are actually those people who are understand technology better than some lawyer in insurance company.

I believe that concentrating solely on the code quality and metrics is not guaranteeing security. We must always look at the wider context and recognize risks, extract safety invariants and make them into critical requirements that must not be optional, gated by no other condition. We need a model for that, perhaps some sort of description language. Another thought, security model is such that computer system potentially can do anything, but its mission is to do some very specific set of things, and it is loosely kept busy doing its mission, and then we have an add-on software process on that computer whose purpose is to tackle and stop that particular computer system from working anything if certain criteria, which imply that this computer is taken over by some outsider malevolent will, are met. Perhaps dedicated computers should be for starters disabled from being able to do anything except their intended task? Keep "intelligence", reduce scope, reduce number of things that could go wrong.

I want to know what the actual failure was. I saw someone post a clip of the offending jump routine that was trying to move data to or from register R8. Now these are general purpose registers but what was the offending data or address or executable issue? Was that file we all deleted some other purpose that no one is mentioning because they don't know. Was it something nefarious?

Is it really "fundamental", when what was described is a combination of causes, i.e. the complexity of modern software, AI-blackboxes, lack of testing due to emergencies, etc.? For example one argument was, that there may not always be time for testing and canary releases, but was that really the case here, or was it just some automation simply because it was "cheaper"? I think risks of such faulty updates could be substantially mitigated by not applying panic mode to every update on every system. Even when some security breach might need immediate fixing on some systems, other systems might just need to be fixed eventually, because they don't use the affected component. So was that crowdstrike update really necessary immediately on all those systems? Maybe what we really want is proper risk assessment, when the cure might pose a greater risk than the disease, and on which systems. Combined with strategies to reduce the risk exposure, especially of systems used for very specific tasks, where a lot of services/daemons aren't needed and shouldn't even be installed, the risk of another crowdstrike could be greatly reduced. Maybe that risk will never be zero, but that doesn't mean we can't do anything about it.

This is why you need to properly test your installation/deployment process and tools. I'm not blaming the Test group for this one as I'm sure they were pressured and overruled on releasing this patch (by both Microsoft and Crowdstrike). Been there and done that one a few times in my career. Testing of the deployment process and installation/configuration tool/app is always overlooked. Always has been. I've tested installation software for commercial products and found them at times to be pretty crappy in how they check for version differences of files (don't overwrite a similar file and warn the user if you have to, but again a lot of this is run in Silent mode), correct location of files, and validate changes to the config/INI files or registry changes that are done. A lot of installer's are "dirty" in their process, basically just jam things on. But this mentality is endemic to software development, and always has been. Companies have to consider and remember that the Installer software is the first one an end-user encounters. And if it isn't pretty much bullet proof then you're going to have a pissed off customer and your reputation will be heavily impacted by it.

You just described outsourcing thinking. My single biggest problem with these systems is

its just going to happen sometimes. theres construction accidents, there's medical accidents, theres accidents in every field big or small regardless of their complexity. no manager is going to see this happen and say, hey guys we just spoke with the board and we decided that we can invest twice as much money to ship this feature and decided to move the expected delivery date by 2 months to ensure theres no crunch and devs are well rested. thats not how business works, not in my experience. a good answer is to always have back up systems in place. when driving cars one should always keep a fire extinguisher and spare tire. there are steps that all of us can take, developers, managers, users but we wont. thats why just get used to the idea that this is simply going to keep happening.

At this point autopsies have poped up on youtube channels everywhere. We most definitely know what happened, how and why.

I remember those old days when you can boot your system and see what files are loading and at what driver is stucking... and at the next reboot it will bypass.

It is always been risky to use an operating system that was made popular because it could run on the preferred video game PC platform with the same security concerns. There is a huge benefit with going with the crowd by using MS Windows, but for critical system the ability to switch to Linux operating system on the same hardware platform will likely take place at companies like Tesla.

It "has" to run in kernel mode ..except on MacOS 11+ that uses system extensions so that it works fine from userspace..

great analysis - mentioned about the dichotomy...

Perhaps even more fundamental, software quality is always going to come with a price tag, and gotta please them shareholders.

That make you think about a self-driving car with a bug in it.🦅

Just good questions! I hope lot people will open the eyes more and more @ArjanCodes i just discovered your channel since 2 weeks. But what a love for your good and clear vidoes. Thanks!

Great video as always! Thanks, Arjan! Completely out of topic: It would be very interesting to see your take on the game "The Farmer Was Replaced", where you have to write code to automate farming drone Thanks!

In this particular case, there's something more basic that would have caught the problem, and it requires no slow down of the development process when new malware shows up. When they deploy code, they need their software to phone home once the OS boots up, that's it. If when they deploy a new channel file and then reboot their test servers, they were to wait for the "phone home" before moving the code down the line for further testing and eventual deployment, they would have caught this problem. The user-land code would never have phoned home because *the OS was stuck* in boot. This is really just basic smoke testing, and it shows how immature their deployment pipeline must be.

I agree. There is a lack of appreciation in the general 'software' industry of the shaky foundations of logic & perfection that coding is built upon, and how it has permeated the foundations of many other parts of society. Those who are reaching for blame should have a read of the years of study of human error, safety studies, and their ilk to see how these major failures continue to happen. It's just another day in our interconnected world. When the underlying unexpected factor(s) is/are finally identified, they'll likely be tedious and boring from some disused cupboard that had been forgotten about (xkcd/2347).

If companies really do want better assurance they should be demanding third party audits of test and release management. But I doubt anyone would pay for it, so honestly this is the perpetual level of service companies will need to expect, and have backups if they don't like the fallout. Here in Canada hospitals reverted to paper record keeping during the outage. This is probably the right fallback for most companies if they don't want to pay extra.