This should be pinned

Thanks for the update. Have not used named pipes in a Long time....

Source please?

@@anaveragehuman2937 - www.crowdstrike.com/blog/falcon-update-for-windows-hosts-technical-details/

Then delete this video.

There seems to be an articles where it is said that some time prior, like maybe month or a few months before CrowdStrike allegedly did same as we see now for Windows to Debian 12 or Rocky Linux. Potentially because smaller blast radius it went not noticed in media. But I myself don't know if it was true or not, so take it with grain of salt

well, null pointer dereference is something that should throw an error, not be allowed and silenced without the dev explicitly handling it correctly. Problem here is, how was this ever allowed to be mass delivered to everywhere at once with such a glaring and general case bug that should have showed up at any sort of testing So linux handling it itself quietly, might not be the own you think it is

@@Songfugel it throw an error, it just didn't kill himself like windows did, where the fix were to reboot your machine 15 times and hope that the network go up first than the driver 💀

@@vilian9185 But a failure like that should kill the program and not let it continue, and since it was the kernel itself, it should fail to boot past it. Windows had the exactly correct reaction to this very serious error, problem is that it should have never gotten past first patch ot tests

​@@Songfugel No, you should leave it to the developer to handle a crashed driver. The end user using the driver does not care if it crashed or not, only that the program using it works, *and most importantly,* that the machine works. Fail silently (let the user boot), inform whatever's using the driver that it doesn't work and why, and let the developer handle it. There are times and places for loud failures. This is one of the occasions where it's better to silently fail and inform the developer. A crashed driver almost took down society with it. Edit because seems like it wasn't clear: no, I'm not saying we should dereference the null pointer. Of course not. I'm saying that we should crash the driver only, and let the system move on without it loaded. Or unload it if it crashed at runtime. If another program tries to use it, it will raise an error and will be able to recover why the driver failed. In enterprise environments it's much better to have the system running vulnerable than not running at all. A vulnerability costs millions on one company. A company-wide crash costs billions. A worldwide crash is incalculable.

@@capn_shawn 😂

Torvalds has always held that security bugs are just bugs and should not be granted special status whereby, given the obsession of some, all functionality is lost in the name of security. Crowdstrike just proved Torvalds is correct.

@@jedipadawan7023 He is kinda right here, but he is also often wrong and is just a normal person who just managed to get away with mostly plagiarizing (not sure if that is the right word, like Linus I'm a Finn, and not that great with English) Unix into an extended version as Linux

but you can break it

😂😭

And they did so ignoring clients' SLA/update management policies, too! Damages as a *result* of breach of contract? Crowdstrike's *done* for.

Well in my previous role, I deployed crowdstrike for a major broadcaster, and one common misconception in all of this, is that crowdstrike can push updates to customer endpoints without their knowledge or consent. It doesn't work like that. Endpoint management is handled centrally by IT admin, and when crowdstrike release a new Falcon sensor version, after reviewing, we can choose if we want to use the latest version or not. You can of course configure crowdstrike to auto update the sensors but that would be ludacris for obvious reasons.

@@marcus141 It wasn't a new version, it was just a definition file.

@@kellymoses8566 maybe I am missing something but if the driver file got updated, wouldn't the affected PCs boot into recovery only when shutdown? So, they could still in theory keep running if not shut down?

100% agree. They should've updated 5% of users and compared failures to before the update. Not send updates to everyone in one go! Especially for such a huge company writing a critical kernel level software.

Yeah I cannot possibly comprehend how and why this was pushed to everyone so quickly. Also why didn't the clients of crowdstrike say: heyy, do we really have to update everything day 1?

They're a security company and it becomes a necessity that they rollout security patches to everyone at the same time. Staged rollout means, you leave the rest of the customers viable to being compromised.

@@inderwool I agree if this was some kind of critical security update, but apparently it wasn't.

Especally code that can execute within the Kernel

I am still surprised that everyone apparantely just loaded the update. Surely in a big organisation at least, you run it through your test network first. And if you really don't have one, you will know better now.

They didn’t run it 😅 tested sections of code, but not the integrated product.

@@simoninkin9090 Or how they did not stage the patch on a small fraction of machine per hour and then pull it back when BSOD happens

this company went big because of politics, they are the one who investigated alleged hacking of Democrat email server.

@@ingiford175 Right. Rolling out to the world in one fell swoop is really irresponsible. Even given the best QA in the world, mistakes will get by, that's why you stage deployments.

@@stevezelaznik5872 that’s just it. They clearly did not go integration testing.

And you don't deploy anything on friday

@@rekko_12 Amen.

And you don’t deploy to the whole flipping world in one go.

And md5 checksum all files... They must use some sort of cryptographic signature securing package integrity. It means they don't test "end product" - they probably tested compilation products, then signed the files and sent it to whole world - and somewhere between end test and release one of the files was corrupted. I bet it was something silly - for example not enough disk space :)

@@grzegorzdomagala9929exactly my thinking. Just skipped on some critical integration tests - environment mismatch or something of a sort. However I don’t think it got exactly “corrupted”. The only reason the world got into this trouble, was because they have packaged the bug within the artifact.

Bingo. And I can’t believe the testing server was apparently the only (apparently single) server in the whole world not affected. I get that we don’t want to make assumptions and point fingers willy nilly, but this one is a bridge way too far.

the problem is centralized control that word salad is a tertiary problem

Well actually because of this shitty OS people miss flights etc. Should never run such critical systems in Windows. Just leave that for your employees PCs

​@astronemir so what alterations would you make on an OS level to avoid this?

The root cause is ACCEPTING null bytes, just check for them, its LITERALLY the programmers fault

MSFT: "Should we do something about the kernel, or develop AI screenshot spyware?"

Yeah buddy we all watched Office Space.

​@@HeeroAvarenwell I am old enough to have seen it first hand, I don't remember what office space said but I do remember all the overtime 😅

Welcome to bad reporting by the media, and a general lack of knowledge by the layman of tech

there is another one coming in 2038 when old unix system's 4 byte time integer overflows. jan 19 2038 ought to be interesting if any of those systems havent been fixed and are doing something critical.

I spend many months doing tests and fixing code for Y2K. That nothing happened is testament to the fact that we did our jobs well.

🤔 worldwide? probably trillions 🫣 updated 24h later to add: the peanut gallery is correct, the wikipedia entry makes it more clear that some enterprises and markets were unaffected and some were only affected for a short time 🧐 thanks everyone

@@astrocoastalprocessor Nah, it was big for sure, but i don't think you get quite how much a trillion is.

I have no doubt Crowdstrike are going to be sued into oblivion. I have been reading the comments from employees reporting how their company's legal departments are being consulted.

​@@jedipadawan7023 Just because a legal layperson is trying to find out from a lawyer if there is any legal liability doesn't mean that there actually *is* any legal liability. That doesn't mean people won't try to sue them, and that will be costly fighting them off.

The question is will anyone outside ClownStrike ever hear what actually happened?

DoS like a boss

the name is quite fitting seeing how many people were left stranded in airports

Oh funny enough, there's a topic on reddit (18 hours ago) told this: "In 2023, Crowdstrike laid off a couple hundred people, including engineers, devs, and QA testers…under RTO excuse. Aged like milk." But is there any official (or at least trusted) sources?

Sounds like a lot of companies

It’s true, but I think it’s vice versa. They’re keeping the “experienced” programmers while throwing away rookies. Atleast that’s the trend we see with google and Microsoft. They want to pay less to employment as a whole, and the only way to do that without tearing the whole team apart is kicking people out.

Not at all. They skipped the first test and went directly to the cheap inexperienced suckers.

Not likely. The underlying issue was obviously introduced already a long time ago but never catched. So far only valid "param" files where pushed and parsed by the driver. The error itself is likely easy to fix if you accept it has also to be able to parse non-valid files without crashing.

I hope a third party does an investigation

Narcissism is so prevalent in this profession. As with surgeons, violinists and physicists ;)

ive been bitching about crowdstrike for a long time.

@@juandesalgado Speaking as a retired violinist who now works as a software dev, I feel like physicist might be the next career I should look into!

@@FritzTheCat_1030 As a dev that started as a physicist, what are your tips to learn violin?

@@FritzTheCat_1030 lol - I hope you keep playing at home, though!

The problem is that these patches are automated OTA (Over the Air) patches. Which was marketed to businesses as there would be less administrative work in installing patches, since these patches come directly from CrowdStrike the trusted vendor. Thus, they wouldn't need to hire as many qualified IT people for cybersecurity tools patch management. It was like a SaaS service handled by the vendor that they didn't need to worry about. Little did anyone realize that there was no proper isolated testing done before pushing this out to production globally.

The lack of testing and slow gradual rollout + Windows OS architectural design flaws Combined, it created a single point of failure. Didn't help that AzureAD was also down as well so anyone trying to login via Active Directory to remediate the issue and get Bitlocker keys were also screwed. 😅

The update was more like a virus definition data file. The actual scanning engine driver file was not updated. These types of updates are apparently pushed multiple times a day as new “threats” are encountered. It is astonishing to me, that the Falcon driver cannot handle or prevent garbage data being loaded into it. Also it’s the poor architecture of Windows that driver crashes bring down the OS. Additionally possibly a bad architectural decision by CS to embed their software so deeply into Windows that the OS will crash if the Falcon driver misbehaves.

yeah, for the physical machines, I hope they have vPro set up; if they don't, I bet they're really wishing they had done it sooner. Lol.

@@Lazy2332Virtual machines proved even more unrecoverable than physical machines - you need a physical keyboard connected to enter safe mode (assuming you actually have the bitlocker keys).

I'm just astonished that this got past testing, AND was deployed to everyone at same time. Just screams of flaws in the entire deployment process at crowdstrike.

... and also the management for not giving enough resources for testing. Its always features, features, features!

Bc this clip is not worth it dont waste your brain

Right. If it was a network-type problem, the IT folks could have just applied a fix across their network from the comfort of their cubicles and then gone home at 5:00 on Friday. Instead some of them had to run around to individual machines and boot them to safe mode while others had to try to remember where the bitlocker keys were last seen.

Ye just a click baiting title but I guess everyone is just surprised off the scale of this. Most people couldn’t do their job and CrowdStrike probably made billions in financial loss to these companies, airlines etc

"tHe SiTuaTiOn tHaT bRoKe tHe ENtiRe InTernEt" Instant downvote.

Any *Windows computer. The Linux systems that run crowd strike weren’t affected :).

​@@nathanwhite704they were in april ;)

Would be even "funnier" if it turns out a bug in the file system.

​@@TheUnkowI'm still suspect of windows. I work enterprise IT at a big defense contractor. I see drivers fail ALOT in windows and most of my job now is just updating drivers. I see memory management, inaccessible boot device, nvpcl.sys crashes, all related to drivers that get rolled back/corrupted from windows updates. I'm just not good enough yet to find it and expose it.

@@sirseven3 As a developer myself I know sometimes it is the most weirdest bugs that cause the issue ... just a bit of an incorrect offset and any file or code may become totally useless ... sometimes even hazardous. I haven't been using Windows for a while because of being unable to determine what causes some the issues, I know that using an alternative is not always an option ... but debugging closed source is a really challenging process. Just because we get a set of API's or other functionalities from Microsoft to use ... no one guarantees they are bugfree or security/privacy/memory leaks free. Even if they were 100% ok, on the next update (such as in this case), an issue may be introduced and we will have trouble again. Note that Linux and any other software isn't fully clear of these issues as well, for example just recently they had the RegreSSHion bug, which was also a bug introduced in the update which enabled most serious security vulnerabilities. Still I would say the transparency of open source would make such issues easier to overcome and harder to introduce. Easier life with closed source has it's downs not just ups, we must take precations against that, glad to hear some people like yourself are serious about it.

I don’t know about later iterations but from my experience in Big Sur and earlier iterations kexts’ can still cause kernel panics, at least when an invoking an instruction that raised an uncaught/unhandled CPU exception, in my case I was trying to access a non-existing MSR register on my system. The thing is whether it’s kexts/drivers/modules on macOS/windows/linux doesn’t really matter, cause at that point your in ring 0, the code has as much privilege as the kernel, the only safeguards at this level are rudimentary CPU exception handling hence why kernel panics and BSOD always seemed so CRUDE with just a few lines of text, since at this point everything has halted and and the CPU has unconditionally jumped to a single procedure and nothing else seems to be happening …

@@samyvilar CrowdStrike does not have kernel level permissions on new Macs, because Apple has been pushing people to move away from kernel extensions, so CrowdStrike runs as a system extension instead which is run outside of kernel. The system files on Mac are mounted as read-only in a separate partition and you need to manually turn SIP off and reboot in order to be able to even write/modify them. Good API designs encourages your developers to adopt more secure practices. CrowdStrike isn't intentionally malicious here, but lax security design in Windows stemming from good old Win32 days allowed such failure to happen.

I doubt it because MacOS is like Windows, it does in place upgrades to software. Some versions of Linux and ChromeOS employ blue/green or atomic updates that allow for automated rollbacks if a boot failure occurs.

@@k.vn.k I was under the impression crowdstrike was windows only, for as long as I can remember Enterprise seemed to shy away from macOS, given Apples exorbitant price on its REQUIRED hardware. macOS Darwin kernel is significantly different from windows and Linux for that matter, crowdstrike may or may not need kernel level privileges, for feature parity across the 2 platforms, but make no mistake anything requiring ring 0 does!

Yeah, this is.......... very dubious.

we have known how to write software so this does not happen since the moon landings. we have even better tools now. the only way for this to happen is for everyone including microsoft to ignore those lessons.

This can not make any sense unless you are delusional. So you're good. The man stated absolute nonsense, like he has no idea what he's talking about.

@@JamesTSmirk87 of couse if you canary release to the test servers first, then to your own machines, and only then to the rest of the world, it would have been caught.

Bingo.

Pdf weeb

@@soko45You have a right to cry about a drawn picture on the internet.

I agree it test, test and more test. The should row test on some PC not all to test if was full work. You think with Airline that part should has most test. Code do not change just OS it run on clear was not test for that OS.

Yeah, I’ve heard Windows channel files mentioned. Sounds like a similar process to what MS uses to distribute new Defender signature files.

It wasn’t a driver fault - it was a bad file configuration the driver downloaded automatically.

​@@allangibson8494but couldn't it have been a bad pull from the WSUS to the clients? The checksum wasn't verified on the client side, but verified before distribution

@@allangibson8494 that still sounds like the driver's fault for not gracefully handling that bad file configuration

@@reapimuhs Yes. The file error checking seems sadly deficient. A null file check at least would seem to have been warranted.

He hardly said anything

I am so sorry

but that assumes that they have a decent testing and deployment strategy, despite all the evidence to the contrary. to paraphrase terry pratchett, in the book raising steam, you can engineer around stupid, but nothing stops bloody stupid! 😊

And the deployment team who would deploy to say 1% of their customers first to be double dog sure.

The devs did no doubt create the problem and wrote code that is prone to failure. The devs must take some blame for sure. The dudes in charge of deploying the code around the world are also to blame. Why on earth would you not deploy this to a percentage of your clients first until it is proven to be reliable? Deploying to everyone at the same time is not a devs fault. It is still with Crowdstrike tho, very irresponsible of them. I knew something bad would happen like this after I retired lol.

@@JeanPierreWhite Surely there's enough failure here to spread some blame around. Devs should check for & handle null pointers. Test suites should find bad channel files. Engineering department should properly fund & staff. Fortune-100 companies should be wary of all deploying the exact same EDR solution. etc etc.

That's just an extra little thing for us all to worry about for 14 years! Good night, lol.

@@sadhappy8860😱

Enterprise gear uses hardware ECC RAM with a separate parity chip for error checking and correction to prevent that. Even if it flipped the same bit in 2 chips at the same time perfectly the file created would have failed a CRC integrity check and the build should have failed in pipeline. A failing disk or storage controller in a busy data center is not going to pick on 1 file and would be eating enough data to set off alarms. This was the either the perfect storm of multiple human errors or sabotage.

Yes.

Fr. Security should never require critical code that can CRASH the kernel to be continuously deployed so easily.

AV software is clearly very risky. The industry for some reason seems obsessed with it. Customers keep asking for it on their servers, I keep saying no we have other ways to handle this hazard. Why oh why are you letting a vendor push kernel changes to all your domain controllers at the same time? Why are you in a position where you feel you need this kind of software on critical servers? Are you letting your administrator browse the Web from your file server?

AVs are risky, users are riskier. No, riskiest.

@@kxjx then what happens if a bad actor manages to exploit your server in some way to get their malware onto its system and running? without an AV on the server to help catch it then surely it would be capable of running loose for far longer than it would have if an AV was present would it not? what other and better ways do you have to "handle this hazard" without something present on the server to try and identify and deal with it?

other comments seem to suggest this wasn't an actual update but rather a faulty definition file that was downloaded, the real problem is why they were not validating the integrity of these files and gracefully handling corrupted ones.

@@reapimuhs that makes sense, but regardless of what they call it,imho even config files are a part of the software and require testing and roll out procedures just as if code had been updated.

🙄

It's also the reason they have less apps and programs they can run because it would mean a whole rewrite of the majority of apps that have no issues. Also work around auchas wine are not the answer.

Yeah, because unix is a monopoly, you simply cant get good alternatives on windows (jk)

A security company of that scale should have their testing and update pipeline figured out. Learning basics at that size is just unacceptable.

Clearly Crowdstrike bypassed all change management that corporation employ. There is no way that all corporations worldwide decided not to do change management last Thursday. Crowdstrike updated customers production systems bypassing all change management. bad bad bad. They will be sued out of existence.

Fr. The buck must stop somewhere. I get protecting people from a mob but...

@@krunkle5136 Single dev isn't to blame, the whole company is. None the less no matter what there can always be situations like this, which is shocking they don't having rolling updates to minimize such damage. If for example they only rolled it out to places like McDonald Kiosk's, then slowly to more critically clients, they would of known of the issue before it became a huge cluster fuck

Crowdstrike will be sued out of existence due to this. Microsoft also has some blame, only their OS was affected by a bad Crowdstrike release. Their system is too fragile and has no automated recovery or rollback.

@@JeanPierreWhite Hopefully that will bring some good to Windows for a change of pace

​@@JeanPierreWhitethe issue is not that they had no recovery mechanism in place, it is that go into safe mode and fix it yourself does not work with locked down machines.

Even with a basic tech understanding there seem to be way too many obvious errors involved in this incident. ZIL, staggered rollout, local testing... This is not how a professional software security company operates.

You have testing environments for that. If you don't push it to all at the same time you couls be sued for giving priority to some over other customers (ergo discriminate or downright steal) as some security updates may be essential. A bug of this caliber simply should not have been allowed on live, it was a most basic and serious mistake for a security company.

@@TheUnkow BS. Most large corporations have change management in place to prevent production software from being updated that doesn't go through all the necessary quality steps. Crowdstrike updated clients systems without their knowledge or permission. In addition some customers are OK being a beta customer, those are the ones you target first, then the majority and finally the customers who say they want to be one release behind. Deploying all at the same time is clearly irresponsible and highly dangerous as evidenced by this disaster. Making an update available for download by everyone is fine, but pushiing said release to everyone at the same time is irresponsible and will be the basis for a slew of lawsuits against Crowdstrike.

@@JeanPierreWhite If someone screws up, they can always be sued. If the option for having beta testers are included in the contract, then that is a kind of software model, those rules were agreed upon and that is fine. BUT I would not want a big business when my software provider just decides that my competitors get some security updates before me just because they had some kind of an additional arangement or the software provider just deemed someone should get them first (even if it was round robin). And yes, almost everyone tries to skip steps until a thing like this happens. Skipping saves capital and because the first priority of companies is capital, not the lives of humans in hospitals which depend on their software, things like this will continue happen, but are not right just because they are beind done by many of the corporations.

Just tech people typically downplaying issues and avoiding accountability.

He has 0 clue what he’s saying. You can do plenty of null pointer derefernce checks similar to typical null checks

rubbish. this is kernel level code, and the wrong type of bug will crash the kernel on any operating system. the problem is it should never have been deployed, should have immediately stopped deployment when the machines started crashing, and windows needed a better response to a broken driver than just put your locked down machine into safe mode and fix it yourself.

No it couldnt, it seems like it was read from a file so no memory safe lang would have helped

It's aliens. It's always aliens.

but the machines staying down is directly due to microsoft. if they had looked past safe mode and implemented something to detect and recover from bad driver updates, then it would have been a simple case of turning the machine of then on again and letting it recover.

@@grokitall Yep. Microsoft have a lot of 'splaining to do.

The devs are at fault for writing flaky code. The deployment manager is at fault for deploying to everyone at once. The scale of the disaster is down to deployment methodology or lack thereof.

Truth.

@@JeanPierreWhiteeven those of us who are code geeks believe that.

Yes; This is why corporations should not use Windows in mission critical systems. Its too fragile with no resiliency or automated rollback built in. Even my lowly chromebook can revert a bad OS update automatically by switching partitions at boot. Microsoft should have provided some level of resilience after all these decades.