"Well, well, well. Tell me, young gentlemen, why is it always you two when something bad happened??"

McAfee did something similar several years ago. A bad definition quarantined core system files. The McAfee CTO from that era is now CEO at Crowdstrike.

I got dragged into this and I'm now at 48 hours of overtime. Thanks CrowdStrike.

So there were 3 seperate failures from Crowdstrike. 1. The kernel Driver didn't have proper input validation 2. The Channel File was broken 3. The testing was so abysmal that they didn't notice before sending the update out to customers.

The problem is rolling out an update (that might not have been tested so well) TO EVERYONE ON THE PLANET AT THE SAME TIME. I can't believe Crowdstrike is operating like this. If you did a phased roll-out to a couple of smaller customers initially, and then monitored whether the updates didn't have any glaring issues this whole situation could have been averted.

"As I said online, you should just go outside and enjoy the sunshine." Okay, but what are people in the U.K. supposed to do?

The real worry is the lack of QA at Enterprise companies. A state actor infiltrating one of these orgs would be absolutely devastating.

Heh the BSOD at 0:40 is cool "For more information about this issue and possible fixes, do not ask us"

"If you put everything on the cloud, and then the cloud's not there, you've got nothing."

I was stuck in Atlantas airport because of this. It was absolute madness and everyone that talked about it, either from the airline or passengers, said it was a Microsoft issue. That's all most people are going to remember.

I was waiting for this video with extreme excitement for the last 2 days. I jumped on KZbin as soon as I saw the notification.

I swear this is only the beginning for tech companies that are losing valued senior staff over the many, many decades...

In the modern version of Battlestar Galactica, Admiral Adama absolutely refused to have Galactica networked to other systems and ships in fleet because of the risks to their it critical system. Yet here we are, allowing a root kit to operate unconstrained on millions of machines. Fun times ahead.

If Dr Bagley and Dr Pound had a podcast, I'd definitely listen to them talk for hours lol.

Perfect storm: no fuzzy testing the driver code, no staged deployment, no os blue/green boot partition

I think it's important to point out that Crowdstrike did the same thing back in April but it affected Linux machines (causing kernel panic).

This boggles my mind as an IT professional. I was part of a team that deployed patches and software for years. This included OS deployment patch deployment, software deployment the whole thing on both Workstations and Servers. We tested our patches extensively before pushing them out to the entire population of the environment. This 1st included a sandbox environment, then a select user / system environment, then we would stage our patches out over several hours so if something happened we could back out before catastrophe struck. And honestly sometimes we would find problems with the patches, and we would be able to immediately stop, suspend and even back out. Yes we would use 3rd party vendor solutions to help with this, and any time we changed ANYTHING we would follow our testing procedures and matrix, normal business. We would never shirk our procedures to test 1st, then deploy. To me this is a total failure of IT Governance and failure to maintain standards. (IT Governance is setting and maintaining standards and policies for the IT Infrastructure)

The frowny face is absolutely necessary

When talking about this incident it's worth remembering that hospitals were affected and she people may have died because of this. So it's all well and good to say when everything goes down, go outside and touch grass. But also, we do need to think seriously about whether we're doing enough to ensure software safety. We take it way less seriously than, for example, car safety. When a new model of car comes out it has to go through all kinds of testing to ensure its safety. But we are doing nothing to ensure software safety, we are just 100% trusting the vendors. I've been a software engineer professionally for 25 years and have long thought that the current approach is madness and incidents like this one only make more sure we need to have standards that all critical system software meets in its development, deployment and implementation.

Seeing two academicians discuss this issue is so refreshing. So many ideas thrown back and forth.

The guilty in this instance are both CrowdStrike and their Customer Security Managers. CrowdStrike has a history of shipping stuff that breaks systems, most recently their Linux product. The Customers said: Yes CrowdStrike just put whatever you want on our systems without monitoring. And by the way, we have no adequate disaster recovery plan. As a corollary, letting CrowdStrike put stuff on your systems also allows bad people to compromise CrowdStrike and deliver unlimited hurt. If I was a baddie I'd spend my every effort to subvert CrowdStrike!

The fix is simple, do not push untested code onto live systems where it will run as part of a must run to boot kernel level driver. Run it on a test system first. And never trust a 'security company' who says you should do otherwise (except in rare cases, such as a very bad zero day being exploited where it's a gamble either way). If they allowed this for a run of the mill non-emergency update then they don't know cyber security and safety well enough to protect a home gaming system, let alone major systems. This goes past gross incompetence to the point where I wouldn't blame anyone from suspecting malice. Though I personally think it was "we don't screw up, we stop screw ups" level hubris.

Software running in the kernel pretending to be a driver, when in reality it is a parser, what could go wrong?

Windows can in fact boot with the failing driver automatically disabled the next time, except for drivers that are marked as absolutely necessary for booting itself, and this driver is marjed as such.

Thanks for being the first source I found that actually explains what crowdstrike is and what went wrong here, and nice to hear some nuance amd perspective as well.

Enjoyed this. Glad I watched the recent 'Dave's Garage' video where he explained the problem. Here I saw and got a good understanding of the wider consequence management. Well werth wathing both I think.

The CrowdStrike bug was what Y2K wished it could be.

Working for a Bank we had drills where we simulated losing our systems for a few hours and had to do everything (and I mean every conceivable thing we might be asked to do in a normal day) without any computers. Including driving physical records to central processing locations.

Falcon is using definition files which are NOT part of the WHQL process which Falcon obviously is! I don't know how this works on Linux or MAC, but maybe it should not be allowed for Windows driver makers to deliver _anything_ to the kernel that does not go through the WHQL certification.

13.37% complete... ISWYDT 🙃

The new update to CrowdStrike falcon included some corrupted channel files (they contained just zeroes instead of the intended data), and because the core driver that loaded the channel files didn't do enough input validation, it continued on using the messed up channel files, and this revealed a bug that likely had been there for a while. The bug caused the driver to attempt to dereference a null pointer, which caused the BSOD.

My local pub went down.. no fish and chips for me..

A number of years ago Tom Scott did a fun talk called "Single Point of Failure." I think about that sometimes.

Very enjoyable format of two people discussing. Sounds less monotonous, too. Great job.

when the computer goes down, that is a sign to photosynthesize, nice

that os/house/hotel analogy was really good!

Linux has a feature that allows the sandboxing of channel updates using eBPF, although Crowdstrike doesn't use it yet. In theory, that could have prevented the BSODs had Windows had a similar feature. Also, I don't ncessarily agree that Windows is blameless here. While Crowstrike is definitely at fault, Windwos did certify their driver, and that validation somhow didn't include testing for corrupted or invalid channel files. There's no reason the driver should blindly trust those files without validation.

As someone who led the deployment of EDR and EPP to 18,000+ endpoints last year, agents are absolutely installed on Windows servers, yes. Updates like this that don’t go through change control are a calculated risk for more up-to-date protections. Problem is that the risk mitigation is that the vendor does testing and releases competently..

I am a recently retired Cyber Security (though being heavily involved in Computer Security for over 30-years, and a software developer for 20 years prior to that, I prefer the traditional names of Computer or Systems Security) Compliance Officer. Although the systems I monitored were involved with critical infrastructure and not open to regular users of business systems, they were still peripheral dependent on many such systems. Since I was a stickler for avoiding the Cloud and third-party security products, my former employer has taken steps to ensure I never know if they were severely affected by the CrowdStruck (accepting the pun) event. The real issue is something you two gentlemen mentioned but did not go deeply into. What if there were malicious embeds (i.e. spies) working for that organization, or for Windows System development? We would not be face a bad day or so, but it could been lights-out until every critical system were completely rebuilt and data backups restored. I can understand why discussion of that scenario would be avoided, but should it be avoided. If I were a critically ill patient in the hospital I would want to know so I could prepare for the aftermath.

Every time there's some outage, or bug, or virus big enough to get in the news, I get excited about the inevitable computerphile video explaining it.

Crowdstrike sounds like a nickname for Mustangs 😅

We can probably thank Dave Plummer for making sure guys like this actually know how to explain the issue.

Yesssssss, twas waiting for this. You beautiful channel you. The dynamic duo returns

Finally, a really good explanation of crowdstrike and what it does and what went wrong.

Crowdstrike did more harm to its clients, and to the Western world, that it could ever have possibly prevented for the entire duration of its existence as a company. How they ONLY lost 20% of their share value is mind-boggling.

Finally, FINALLY, some informed and cogent commentary on this issue that isn't just "Tech influencer says Windows is a mess and this would never happen in Linux or macOS"

Crowdstruck? We gave this overtime event a codename of 'clownstrike'

As an Ex MS employee and one that worked at Windows, I appreciate what was said at 7:42 :)

Typical "Management Bug?" A CrowdStrike engineer or two urges more testing before release. Some executive then pounds the conference table and shouts, "No more f**king EXCUSES! I want that update NOW gawdammit!"

I love listening to these engaged guys 😁

😂 the example bluescreen at around 0:36 , 13.37% 😂 love it 😁

I mean crowdstrike issues aside, WHAT A CHANNEL! Thank you

Crowdstrike didnt do any validation control(or not enough) in their Driver to check the .sys file before running it to confirm it wasnt just full of Null values etc.

These IT disasters always have the upside of flushing Dr Pound and Dr Bagley out of whatever else they’re up to, to give us these great explanations!

Its going to be very interesting to see what Crowdstrike learns from this. One thing they didn't seem to use is a canary or blue/green deployment scheme. Hoping for some enlightening blog-posts on the topic eventually.

I would have listened to these guys talk about it for an hour

You didn't mention that in order to install kernel drivers, the code needs to be submitted to Microsoft's to be tested, approved and digitally signed. As you mentioned, the bug was not present in the main kernel, but in the "channel files" that are updates without following that same process. It is not clear to me if those "channel files" are code or just configuration, but maybe Microsoft is partially at fault here for allowing these channel files in the first place, or for not sufficiently checking the kernel driver had the necessary logic to gracefully crash without taking down the entire system.

Computer Phile is amazing! I love your content and calm but casual demeanor. Your explanations and ability to break things down is superb! Keep it up 🙏🙏🙏🙂❤️

Are there no standards for deploying updates that run in the kernel?

I cant find one KZbinr talking about proper sysadmin practices at the enterprise level that would have caught this before getting rolled out. I have never worked at a company where PCs weren't locked down from software installs and every update (even ones from MS) were tested by local QA before rolling them out to your enterprise PCs. Unbelievable that airlines are being run this way. Unless Cloudstrike installed some rootkit that bypasses all these processes I'm shocked at the state of sloppiness in IT.

UPDATE: Thanks tma2001 letting me know the zero file was not the cause. And in fact there is validation in place. The error was somewhere else. So the below is inaccurate Seems it was a lack of input validation. Apparently the root cause of the crash was that one of the files in the definition update was just a file filled with zeros for whatever reason. Leading to a null pointer dereference (which always crashes, by design) But that makes me go like: Input validation anyone?! Does CrowdStrike Falcon fail to at least make sure the definition file makes sense as a definition file before blindy following its directions?

Never fails, something big happens in the field of cybersec, we can guarantee that we'll get a Computerphile video starring Dr Bagley &/or Dr Pound :)

Not seeing much understanding of administration. A system I was admining involves testing updates before they get installed on the live environment and with this many computers, you don't install it on all of them at the same second, you install it in segments and don't continue until you have successfully restarted the first batch of computers. This all about GREED admining, they didn't want to pay for doing to properly, my way of admining was developed in the 19xx, we have INTENTIONALLY dropped security to save money.

Big cyber-cockup (a beat) "Crowdstruck (Windows Outage) - Computerphile" ------ Right on time, thank you

It also doesn't help that Microsoft took away the key combo to tell the OS to boot into safe mode on startup. If that was a thing I'm sure this would've been at least a bit smoother.

Excellent discussion. I'm so glad I'm not in IT any more.

1:13 if that hotel is like linux then the guests would carry their own air conditioners 😂

This was a fantastic conversation! 😊

There is a bottle of water under the desk !

Oooh boy, you're guys are back. Finally!! ❤

Wondering how it got past QA? Seems like installing the update on a docker instance or vm would have found this bug.

"Anything that can go wrong will go wrong.." - Murphy's Law Another one I like is the variation of Murphy's law from Interstellar: "Anything that can happen will happen."

"Dave's Garage" a former microsoft software engineer just did a video about what he thinks happened about this. Very comprehensive and very clear. He also speaks extensively that this was possible because Crowdstrike works in kernel mode.

Thanks, great video. Any recent update?

Been waiting for this 🍿

13:06 totally agree, we just need to US develop our technology. But we see how US monopoly all technologycal aspects, and any real competitor they ban out...

8:42 It can happen and indeed DOES happen on mac and particularly linux machines but the difference is those operating systems have safety mechanisms in place so that mass IT outages like the kind that just occurred can't fail to the point of individually booting every single device into safe mode and deleting a driver file. As you said, there was a kernel panic error on clownstrike's linux distributions, yet it didn't crash the world's infrastructure because the error was handled correctly. So microsoft should be at fault in some part for not providing these error handling systems.

This is the best breakdown that I saw about this. Even if they do not say it, it screams: Start using better OS like macOS with APIs and avoid boot-start drivers running on kernel mode.

Honestly I would have called it crowdstroke :p

It's ironic that a bit of software intended to prevent a system from getting taken out ends up taking out the system.

The cure was worse than the disease.

Bagley and Pound. What a great duo.

"Sorry Elon"? Never apologize to that man.

This point about the OS being able to roll back a failed patch may not apply in the case, since it seems this was just an updated config file, which exposed an existing logic flaw in the application code.

Loving how social media is making comp sci lecturers get trendy haircuts and dress properly 😂

00:03 Windows machines experienced widespread blue screens due to an operational error. 01:55 Windows utilizes safety mechanisms like blue screens to protect against critical failures. 03:43 Kernel-level code in Windows can cause serious errors if not managed properly. 05:32 Kernel mode software failures can severely disrupt essential services. 07:25 Microsoft's Windows systems faced critical issues due to a specific bug. 09:04 Mitigating system failures through advanced update mechanisms. 10:56 A genuine mistake led to significant issues, but damage could have been far worse. 12:42 Cloud dependency poses risks for individuals and organizations during outages. 14:24 Exploring advanced image recognition capabilities.

Thanks Lord Targaryen

Enjoying the fashion coordination to represent affected hosts, even down to the socks!

12:50 don't apologize to Elon. He deadnames one of his kids. If he can do that, you can deadname his company. The best he's going to get out of me is ex-Twitter.

As someone whos network jumbox had this ... A very bad day for the IT guy in my company

This was nor very well informed with a lot of lacking info and some facts clearly missing. Much better videos already out there. That being said, normally a fan ❤️

On Linux an EDR software can use the eBPF kernel subsystem to probe system activity. And an eBPF program cannot take down the Linux kernel by design.

Apple has the luxury of being able to force changes to their OS like that because only a minuscule percentage of the world infrastructure relies on it. Microsoft must remain backwards compatible as best they can with their OS upgrades precisely because they aren't a tiny player in this arena.

This guy is great at explaining.

"They may have implemented something badly, we don't know". Yes, we do know. It happened, therefore they implemented something badly. This sort of thing is why we have canary deployments, and apparently they have the infrastructure for that, and allow customers to have settings for which computers get updates first in order to validate them, but they also have some updates that simply ignore those settings, and this one one of them. Yes, they 'implemented something badly'.

Really amazing video, like always!

"There's no problem with Microsoft. There's no problem with Windows."

The wider issue is that, while Windows acts in a way to mitigate the consequences of a malicious act (which this failed update mimicked), there has seemingly been no thought into how to manage, contain and recover from such a problem when it is happening at scale on massive numbers of end-points at a very rapid rate. The rate of 'infection' is happening far faster than it can be contained. Microsoft's kernel code policy on top of Crowdstrikes error has exacerbated the problem. The impact isn't a theoretical one, it is real with potentially life threatening consequences (like the Highways Agency being unable to control Smart motorways when their displays were not reflecting what signs were saying and they couldn't change them - that left people in Refuges being unable to rejoin live motorway lanes). It has exposed many weaknesses.

It's been obvious for a while now - MS does NOT DO software testing, nor Crowdstruck evidently. They are delegating the testing straight to the end user. They pushed a bad binary to an "on-the-fly" update, and after the updated binary was first touched, it crashed the system. That's criminal negligence, brought to you by industry's greatest security providers.

Thanks for explaining it so well. I love this channel!