For all the armchair quarterbacks out there who are interested in how Crowdstrike came to make such a disastrous mistake, they’ve released a preliminary post-incident report. It’s worth the read: www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

RIP to all IT people dealing with bitlockered systems.

As a retired IT worker who went through Y2K and is still irritated by all those who said all the work we put in to prevent this sort of outcome was a waste of time and resources, I feel pained for those doing the firefighting, hopeful they get the recognition they deserve, but suspect they'll be in part scape goated for not having (unaffordable) automated backup and recovery systems in place.

And suddenly, we went from no cash to a paper sign that says cash only.

I have to admit, this took me back to my IT days 20 years ago and i literally had chills up and down my back. My heart goes out to all the key boards warriors who had to go through what they've gone through and those who are still plugging away. There's got to be a better way and of course that's the same thing we said 20 years ago...

Working for a company that's still recovering from a cyberattack (we switched to CrowdStrike in the wake of that), this was the worst nightmare I could wake up to.

I appreciate you guys and gals. I work for a small IT company out of Alaska. We were not affected thankfully but I can't imagine the mass scale of this outage and the tedious manual work that will have to be implemented in order to get all systems back up. I'm in the sales dept. I bring in new clients for the company I work for. I've always had respect for Tech. I'm somewhat of a nerd/ sales guru. and appreciate the work behind the scenes that keeps systems running smooth and safe.

We weren’t affected, but in the end it’s just dumb luck that we chose a different EDR product. Lots of lessons learned today, and I’m sure there are going to be a lot of great discussions in the coming weeks. Sleep well! You deserve it.

Every organisation’s IT teams find solace in each other demise thinking they are not alone to face this sh!t lol

right there with you...worked from 3:30AM to 8:00PM, with another long day tomorrow....

The first thing I thought about when I heard about the outage was the line "Skynet IS the virus".

Happy to learn that I'm not the only one who thought of Lawnmower Man 🤓

My night/day started at 11:41 PM central time. Finished at 7:30PM tonight

Lets move everything to the cloud!!! Great idea! 😂😂😂

This was like listening to some strange dude describe my Friday.

We had Azure VM and Microsoft suggested doing a disaster recovery process, which includes changing the region, etc. I was determined to not mess with the VMs because they are set up very specifically to the apps we had - basically I was hoping Microsoft would be willing to fix it, since I didn't do anything to break it. 45 minutes later it came on, I was glad that I waited.

This is an EXCELLENT RECAP Thank YOU for explaining it for regular folks.

Something like this was inevitable in a world where enterprises don't control/delay updates and leave it to the vendors.

Yesterday was a big win for CrowdStrike. Finally a virus protection program that disabled the most prolific spyware program on the internet - Microsoft Windows. No Linux/Mac products were harmed.

Seeing so many machines down all at the same time was definitely the craziest thing I have ever seen in my 25+ years in IT

Thanks for sharing your experience. I am not working in IT, but I do work in the tech industry. I am lucky my company don't use Crowdstrike, and so far in my country, only the airport and a few airlines were affected. I am not travelling, so I just went about with my day. To everyone involved in fixing this mess, thank you. I try my best to explain to my friends and family what is going on, and I have been emphasizing the situation the sysadmins, IT helpdesk staffs are facing, with the occasional F U to Crowdstrike. Everyone in IT should be appreciated more and I can only hope this can be studied every where and something can be done to prevent the same thing from happening again. Remember it is not just the good guys learning from this outage, I am pretty sure the bad guys, the thread actors are also learning from this.

I feel your pain. Symantec Corporate Antivirus did this to me years ago... I had to boot over 100 computers using a USB stick with a fix on it and I was the only IT person in the company at the time. We got rid of it within the next week and switched to Sophos. "Knock on wood" that never happens again.

It was a rough day for many for sure. I work for a university and it impacted a LOT of our production systems. I agree it's the best on the market. I think there may be some diversification in the platforms companies use after this, but I can't see there being any mass defections. Just my less than 2 cents. I'm tired too and I hope the weekend for everyone get much better. I appreciate your content and have learned a lot.

I understand from reliable sources, IT techs that understand servers, laptops and such, that the reason that only Microsoft systems were affected is that Falcon must communicate with the Microsoft kernel, the lowest level of the Operating System. Corruption in the kernel causes failure of the whole OS and must be restored in safe system mode. Linux and MacOS operation systems do not allow applications to communicate directly and so cannot be corrupted by a wayward application. Only the wayward application will fail on Linux and MacOS and could be easily rolled back to the original application. The Mac OS was rewritten some years ago to a Linux/Unix type architecture. I wonder if there is any kernel protection that will be implemented in the Microsoft OS anytime soon.

If you have VMWare, you could fire up a VM that has PowerCLI, shut down all the windows VM's, then loop through every disk image to mount it on the new VM, delete that file and unmount it again. PROBABLY best to use a Linux VM for this as Linux is far 'nicer' when it comes to mounting and unmounting drives. I'm GUESSING other hypervisors would have similar tools. HyperV shops will probably be an even bigger level of screwed with dataloss due to the hypervisors themselves resetting. Then there's next level screwed if bitlocker is in use.

Got my PROD SQL Servers back online within 6 hours! 300 TB Apocalypse!!!

The company I work for was hit hard. To make matters more fun some of our smaller locations, like mine, don’t have any IT personnel. That meant that 2 of us who know computers had to get all of them working once we were given instructions. On my computer I have local admin rights so on that computer I was able boot into safe mode and delete the file. On all other computers we either had to PXE boot or go through the Microsoft menus to get to the command prompt. We still have 3 computers with Bitlocker that we cannot access. No one in the company has the correct access code.

We worked in to Saturday morning man. It was brutal. When it was first happening I was like you. Immediately thought it was some kind of attack. Then I went online and saw it was happening everywhere. Crowdstrike's valuation is going to be interesting on Monday when trading starts again. There's still a whole bunch of people on remote laptops that are locked out due to Bitlocker. This is going to be such a PITA.

To provide greater clarity, the primary issue here is that cloudstrike falcon runs at kernel level and has internet connected privileged binaries so as to provide rolling updates to threat protection offerings. This was and always has been a massive attack vector that’s yet to have been exploited at a high level. It just so happens to have exposed its vulnerability to the world through incompetence. If Microsoft was half intelligent they’d step in and implement something similar to Apple who provides a system extension abstraction layer so as to not give direct kernel access. They will not do this, because they are stupid arrogant and lazy. Instead, I think most critical organizations should steer clear of crowdstrike and similar kernel level applications with internet dependent binaries. Even if that leaves you slightly more vulnerable to other threats.

I work for a large company that use to use crowstrike...we removed and replaced with MS E5 License Security Stuff when we went to e5 as a cost thing ..... But we had 40 machines still affected as even though it was removed we had had instances of crowdstrike re installing itself...real bizarre ...those 2 Servers have been fixed and the other PC's for users will be fixed when Desktop Staff come in Monday as they were at remote sites...what a mess.....

Fantastic video! I loved how you told the story of how it began at your org. That's exactly how I felt. What I suspect is going to come out of this is that CrowdStrike may have to segment its solution updates by industry. This failure was massive and even though they will check it countless times going forward, my guess is that companies will come forward and say that this cannot happen again. Just the fact that they test, test, test, and re-test going forward will not be enough. We saw a lot of side channel attacks coming in the form of phishing. While the event was not malicious, it did have somewhat the same net result and that is unavailability of services. What's also got put out front and center is, all the major companies that use Crowdstrike. I am sure that going forward they will test the hell out of their updates, but segmentation by industry is probably where they will need to go for rolling out global updates so that things like Healthcare or Travel are not impacted at the same time in the event of an issue. This will also place more focus on Microsoft Azure. While it's not Microsoft's fault, we will need to start planning for DR scenarios that we once thought were pie in the sky issues. Now those pie in the sky scenarios are real. Very real.

OUCH! 😮 All in the name of "Security" . . . Now we see how fragile our systems really are - and how dependent we are in today's technology! 🤐 Now we also know that major events aren't always caused by bad actors!! 😬 Stay Vigilant and Keep Safe !! 😷 #majorincident #dependencies #securityglitch

Great video and thanks for sharing your "horror story". I'm a retired IT guy, and still very much like to keep an ear to the ground on IT matters. When this event happened, I was hoping someone who was in the weeds in handling this event within their org would post their story so I can hear details. Having been through similar (albeit less widespread impactful) events, I can 100% relate. Still morbidly curious, I guess.

As a non-tech person, I knew it looked bad yesterday when I started looking at flight delays. Hats off to you and all of the other IT folks dealing with this nightmare!

I'm a contractor to a large Australian retailer and I have to say they have their shit together. Had thousands of POS systems back up over the weekend and then the hundreds of the support laptops by mid morning today. Came down to them being easily able to report on the Bitlocker keys, and admin passwords to gain access to the CS folder. I have a new found respect for disaster preparedness and recovery.

The rather large global company I work for, doesn't use Crowdstrike, so, amazingly, I've been able to sit back at eat popcorn, all while saying "there but for the grace of God go I". I'm so glad I dodged this bullet.

Really great boots on the ground, "this is how it went (down)" account. Surreal. Thank you!

It’s a Nightmare, you wouldn’t want it on your worst enemy…

My heart goes out to everyone affected. Way to hang in there, Rich! We were not impacted, but know quite a few shops here in Houston that were.

I'm an employee at a small company and had this crap on Friday morning. Our IT guy was abroad in vacation and he got the choise between finding the next flight or sending each employee the admin password by private e-mail. He chose to give us the passwords and change them when he comes back.

Crowdstrike is a proud world economic forum company. The plan for a global cyber attack isn't to have someone attack you but for the main cyber attack prevention company to actually be the point of failure in replacement of a "global cyber attack"

People:" waaah waaah i cant browse memes becaue of this!!" People in hospitals on a death bed:...... - - ........

Get some rest. I’m infrastructure, it hit me as well and I had to get my bitlocker key from the help desk. Still spent us the better part of the AM getting our systems back on line, and then dealing with the AD problems via vCenter. I’m keeping a copy of my bitlocker key in my Mac password file.

My question is after working as an update/patching admin why would you push an update on a Thursday/Friday best practices patch Tuesdays for those who know 🤔

Great recap of your very real world experiences! Thank you for sharing sir!

That sucks, sorry to hear. Im glad I didnt have to deal with it but Ive been through a malware event and know the feeling. Hang in there!

The ITasS company I work for fielded 140 calls had 4 simultaneous war rooms on of which wrapped up at about 1 am this morning

Thank you for taking the time to put this together when you're clearly so exhausted. This is exactly the kind of content we need after an event like this, from real professionals who are there. There's too many "lol why didn't they just ..." Reddit Keyboard Commandos running around making me wish I had a way to smack people through my screen. Respect. One thing I still don't understand is how this actually got out of Crowdstrike's development systems (?) and into their production deployment systems. I realize that one of the big benefits of CS is its rapid response nature, I think backed in part by ML (?), but surely there should have been some sort of internal unit test package or an equivalent to catch a killer update before it was pushed? High speed automation with no QC is an invitation to exactly this sort of disaster. Given how many medical/hospital systems were impacted, including in some locations EMS helicopter service, CS will be lucky if they don't get sued for contributing to someone's death or injury.

Best vid so far on this topic. We had a long day as well, I got called at 3am my local time, got to take a nap at 5pm.

Co. I work for still has over 12k users to bring back online. It's been a nightmare going on 48 hrs now

Sure was a day for us. Luckily, by the time we got to the office the fix was know. It could have been a hell of a lot worse. Our DCs were good, a few servers went down but came back quickly. Then we trawled through all the desktops over an 8 hour stint. As IT, all we got from the business was praise because we had constant coms and updates running throughout the day and offloaded a bunch of the reporting responsibilities to the team leads rather than getting all users to make lots of noise reporting.

The only big question is why are drivers for windows not signed and then validated by the OS before being installed/loaded? That just seems so obvious. You would think there would also be a transaction log for most recently installed “system” stuff and if more than three reboots are triggered it would rollback the install log and quarantine the most recently installed items. That’s how I’ve designed patching systems in the past for mission critical infrastructure software systems. I had no idea this many people still used windows! I’ve not touched windows for 25yrs.

I wonder how long this will take to fully recover from, think about all the laptops that will probably have to be shipped back to the office and the kiosks that are hard to gain physical access too

Thank You for this EXCELLENT ANALYSIS!

Yesterday was like a digital nuclear bomb going off

Not to mention the people with bitlocker and no access to their keys.

Very clear and concise. Thanks so much for the video explaining what has to happen to delete the file. What a task to have to touch every machine!

Lol. I am just a retired low-level PC Tech. When I got out of bed yesterday I heard the words 'bad update' on tv, so I ran in and quickly did an rst r u i on my own desktop. But apparently I was not even affected, anyhow. But the machines at the hospital where I work as a housekeeper are, and they are all bitlockered VMs. And they have a tiny IT Department with inexperienced techs. That Hands-On solution is not too difficult, as long as you can get the key. Should I offer them my services on a per system basis? More fun than cleaning toilets ! 😅 (Ouch. Poor you!! )

This was the result of Crowdstrike’s incompetence but Microsoft is also to blame for not adequately protecting their OS at the kernel level. No 3rd party software, no matter the source, should be able to root-kit an OS like this, requiring manual deletion of files like it’s the 1990s. This kind of failure is not possible on MacOS for example.

Good job -first person POV. Thanks!

Automated updates are a time bomb waiting to explode. Good luck, because you will need it!

4k VMs, 3,5k notebooks, 4 gallons of coffee, 3 pizzas aaaaaannnddddddd counting........... (oh.. 2 keyboards too, RIP F8 key 😞)

Thanks for sharing your experience; hope you can get some sleep!

Thanks for this. My MSP uses a competitor for our MDR, but my previous employer wasnt that lucky. Nuts.

years ago, I worked on a supportdesk and watched a whole bank scream to a halt after Symantec was rolled out. As soon as it loaded the first time, it ran a full scan pegging the IO and CPUs making devices unusable for hours, if someone restarted, it started over

I was lucky that my org is currently only using crowdstrike for a few non-critical systems. I feel for you, and hope you get some recovery rest It will be interesting to see what lessons the industry (and world in general) take from this.

RIP, in some airports they did go back to giving handwritten boarding passes

Thanks for sharing your story. We don’t use CrowdStrike, but I 100% relate to your gut punch moment when you initially thought “this is it.” I’ve had that pit-of-the-stomach feeling upon seeing weird traffic in my own network several times over the last few years (so far we’re unscathed) and it truly sucks. I’m 30 years into my IT career, and the scourge of ransomware has turned what was once a fun job into an almost constant state of dread. IT is now almost 100% defense, and I hate that.

makes me realize CS does not use falcon on their own system

Worked through from 11pm to 10am Was right in the middle of it as all out monitors vms, pc, db, all bsod.

Man i feel all your situation loins and 100% feel for you guys. Luckily this time, I Sitting pretty with S1 today.

The more I read about it the more insane it becomes - it wasn't a simple bug but literally a driver file of all zeros! How the hell wasn't it hash checked by the client update process before installation and requesting a reboot ? Or how the hell did ClownStrike update push server not also do basic sanity checks before sending it to _every_ customer at the same time ? /facepalm

The previous company I worked at was affected by this. I sent them the fix as soon as I read about it, as I think they were not aware of what was going on. I am lucky enough that the company I work for now does not use Crowdstrike...but honestly, this could have happen with any antimalware software. That was the case with Symantec and McAfee few years ago. Crowdstrike is still an awesome product and one of the best (if not THE best) on the market. I hope they recover from this. In my opinion, Microsoft also has some work to do in Windows following to incident to prevent something like this to happen. Windows is no where near the most robust OS...

Did not have issues at my site since we don't use Falcon, but my son's company did. I did not know that Azure did not have a console that sucks, and I was just toying with looking into it more. Whew, I dodged a bullet there. This reminds me of the MS service pack nightmare, which I did have to pull long days for. Good luck, folks. I hope you all get some sleep soon. Cheers

so one man, on his own, stopped the world, we are doomed!

Got that phone call from the shop about blue screens. Can't remote in. Hopped in the car and off to the shop. Just like so many in IT that day.

thanks for the detailed explanation

Wow, you got a front row seat....to me the fact that this was even possible indicates how fragile things are. What do you think we can do to prevent such a catastrophe in the future?

Really relate to your story. I’m in Australia so it hit our IT team at Friday 3pm and I’m in development (not ops) and my surface crashed, then my colleagues did. Reported it to my boss then walked away while it rebooted. In the bathroom a woman from a totally different company sharing the building with us tells me “all our pcs crashed so we’re leaving for early drinks at the pub 😂”. I was so relieved! If I’d seen the SQL servers drop first before my laptop that wouldn’t have been a fun moment to live in at all.

So I wonder what happens to the executive who chose Crowdstrike in each company? And more generally, how do you actually select an EDR/EPP/XDR?

Sorry that you got affected. Sounds like a hell of a thing.

Great video on this topic. I especially appreciate the explanation of what it felt like to be in that unfolding "oh shit, this is it" moment. Absolutely wild day. Thanks for sharing, as a popcorn-enjoyer, this was a great way to bookend a day of catestropic tech news. Pour one out for the homies traveling today

How can they upload a blank file [0...0]? Why CRC does not detected the anomaly? Why Win Kernel allow blank files to be load? Why MS allow 3th party "base file" to be updated?...This was JUST a TEST! 😉

We should have a movie about this

My Vic-20 and Radio Shack Tandy computers never had these issues

I do wonder why huge companies are not diversified more. It is crazy that this can happen all over the world and shut so much down. Even Crowdstrike should be fully diversified I would think where under no circumstances everything goes out to all streams on the same day. I am not IT so I don't know the terminology, but I think you know what I mean. Even in this case it seems redundancy would not have helped because it was a single bad file that went to every computer. But if out of 5000 computers, they had 5 different services or versions of a service where that are getting a different set of downloads on each stream in a single day, this would have only shut down a fifth of them, leaving only a fifth of them disabled for a bit and 80% still operational and able to find the problem before the world comes to a halt. I feel like this incident has opened floodgates and we can and likely will see malciousness on this scale or worse sooner than later. What are your thoughts?

2:43 was the CrowdStrike driver? That stop code otherwise, usually means loss of RAM stability, such as badly-seated RAM, or dirty RAM slots.

I’m an IT System Analyst, crazy how much we rely on computers. Yesterday was insane. By the way in healthcare.. FUN

I just spent an hour (50 min on hold, they are SLAMMED) on the phone with my IT guy to get the bitlocker key for my workstation. I told him he’s fighting the good fight and to get some sleep.

Man this is my NIGHTMARE, we dodged this being on S1 instead but the description of figuring it out. Nightmare fuel

Did the Azure storage outage cause Crowdstrike processes to download a null file stub meaning the mass BSOD outage was triggered by Microsoft but caused by Crowdstrike not parsing input files safely?

I’m a cybersecurity analyst and my company was on high alert yesterday as we assumed initially this was a cyberattack

This put a big target on CrowdStrike now, it it wasn't big enough before

Really, the World-Wide Fail wasn't caused by the bad update. The FAIL was in rolling out the update to EVERYONE at once -- a blitz. Had they done a Canary deployment and slow-roll, the problems would have tiny

This fail was unbelievable to be present nowadays! I have 35 years working in IT,. At college I´ve learned to test any software before deliver it in production, test environment, controlled test, implement it in a small piece of production environment, therefore this means for me that CrowdStrike guys need to return to the "basics" of software change management cycle...

I was on a similar call and there was 2 management people there with no IT Background, no idea why they were even there 😂

My computer is stuck in an infinite reboot loop, preventing me from accessing the command prompt or deleting any files. The repair options never appear, and I've tried all the methods to enter safe mode without success. I've pressed the F keys and repeatedly forced shutdowns with the power button, but nothing works. Despite all my efforts, the computer remains in this constant reboot loop.

Loved hearing this story! Unbelievable this could not be handled without direct IT people intervening. What are you suggesting for VMs for startups that want to colocate who do not want to get locked into the Broadcom ecosystem?

I wonder, was George Kurtz CTO of McAfee when they bricked all the windows systems with an update

Still working - Shares in redbull went through the roof over the past 24 hours - or at least they would have if the systems were working right.