I did not understand a single thing but I feel sufficiently educated now to comment on Reddit like an expert on this topic.

Microsoft made it somewhat easier for Cloudstrike to make major mistakes, but it was Cloudstrike that neglected to not do the appropriate testing and phased distribution that should be done for software with such low level access.

It’s so clear that so many of you are commenting without having listened to, or processed the contents of this extremely complex and informative video. I’m a Mac and Linux guy who works with Windows managers and I’m learning more from this video than I do working full time with certified Windows engineers! Really great work.

Crowdstrike is to blame for not being able to stage their updates. If we let an OS start without a critical component like an EDR, I think we should not operate on such machines

"Fixing blue screens with more blue screens"

Very good, I really like Dave's channel, I think it would be great to have you two talking about the subject.

This is such a great thorough analysis, I really appreciate the sophistication of your work and historical knowledge here! Got my sub.

All due respect. But a bad business decision by microsoft did not deploy faulty code without staging around the globe. Crowdstrike neglected any - and i mean any, even the most basic, care in deploying, creating and testing that update. And they alsow managed to kill debian linux earlyer this year...so one could make a case for them beeing incompetent. And rightfully so. If a product is bad on microsoft windows because microsoft does not allow you to access the kernel in a smart way, sue them (class action), or limit its functionality. But they decided to backdoor their stupid written and lazy ass tested software, intentionally circumventing WHQL. Which js far bejind neglectance....thats intend. I would not be surprised if they get sued to oblivion over at least one of those points.

Excellent video. Your expertise and presenting skills really show

Great insight. Why do you think Crowdstrike seems to have had no validation, at all, on their channel file updates? Gross negligence?

“Uniquely qualified” *locks in and watches the vid intently*

Amazing historical view - best video on the subject!

Thank you for the insights! 👍 (Navigated here thanks to Steve Gibson and Security Now!)

Wow! This is the best video about this topic. When I heard about the Crowdstrike outage I immediately wanted your thoughts. Thank you so much for the historical details that helped explain why this happened. I'm not a programmer but I understood your explanation. Fantastic video. My big takeaway - Deploying without fully testing was Crowdstrike's error but Microsoft must take part of the blame for helping create the environment in which the error became so disruptive. I'm eagerly awaiting future videos from your channel!

Thanks for doing an analysis of the Crowdstrike crash without any yelling.

Thank you for your perspective 🙏🏻

Loved the insight! Calming voice! The only thing that would make the video even better for me is to have links to the sources in the video description. I know it's possible to manually find them all but it would be a nice touch.

Anybody who can't separate data from code is too incompetent to be trusted to run anything at kernel level. On top of that no code running at kernel level should be able to auto-update itself without the authorization of the IT administrator.

I stumbled onto this channel and i really enjoyed your content. i look forward to seeing more.

I've been inspired to try my hand at cybersecurity thanks to you! I've been developing software for a while but this is a whole different ballgame lol. I've known of you since 2017 as most of us did, but just now found out you have a youtube channel. I have to say, it's an honor to be able to listen to a history maker like yourself.

man i remember this day, im a fuel tech (keep gas stations/terminals pumping fuel) and when this hit, once i found out the fixes by mid day friday i had to teach other techs in our company how to fix it on point of sale systems, such a big fumble, and i fear something similar will happen again

I DO love to see this kind of video performed from a REAL PROGRAMMER who understand and know about O.S. 👏👏👏

We have quite a similar background 😊 though I chose the more predictable route of a job managing a team of penetration testers. I like the rational, cool-headed presentation Marcus. New sub gained.

I truly enjoy your insight.

as a rookie aspiring pentester I didn't understand 80% of this but that fact motivates me to keep learning as much as I can because these clearly aren't simple endeavors good god

You are the best Channel in the tech world. And you are my Hero

OMFG!!!! Yo, your that guy lol holy shit dude I for sure thought they took you to some black site lol. Yo please make a short video or course on how to RE a botnet so it can be mapped, nothing like learning from the master himself. I'm so stoked on finding your channel, hell yeah, keep at it homie.

If you WERE an EX-malware developer, then you ARE a malware developer NOW! BUSTEEEEEED! Great vid, thanks Marcus xx

Was looking forward to this!

Really good high level overview of user permissions in windows thanks

Hyped to hear u speak about it and even more hyped that you are not afraid of going against dave garage his claim

Crowdstr8ke should be consulting to MS because they are changing the kernel, lack of QA and certification to MS

When Microsoft introduced a warning system that you are about to do something on your system intentionally or unintentionally, everyone disabled it because it was a nuisance

Great explainer, thanks.

can you give your thoughts on Apple's changes to the filesystem and generally how they're moving everything that's kernel related from any access points from userland?

Were you referring to AMSI API for process injection (memory monitoring), or other API group?

Hi Marcus, this is a real long shot, but could i email you about some odd behaviour in macOS and how it handles some image formats?

Crumb video got me here.

I could listen to you for hours

Please bring back the MalwareTech podcast 😞

Personally I think the solution lies in kernal processes, different from user processes. A user (and thus any user app) can kill any user mode process (even if they have to enter a password for root access) but they'd have to drop down to kernel level permissions to kill a kernel process. Anything that involves directly talking to hardware would be put in the kernel itself but for anything else it would involve pipes between kernel processes. The kernel can maintain the security of kernel processes and kernel processes can maintain the security of user processes. This new type of process would require the creation of a new user with greater permission than root which would resolve the problem of security being compromised due to users using admin accounts for their main account. It also means greater kernel stability because most of the kernel would be in kernel processes, with security & hardware code being the only exceptions. Could create something like klibc to share among the kernel processes too.

I think the problem is also that clearly there was code or at least a sophisticated format being read into the kernel by way of these files being dropped in. Why are Microsoft certifying drivers with WHQL that change their behaviour based on the system files? Who says it had to be Crowdstrike who added this file? Could just as well have been a malicious actor who worked this out, and worse still maybe they would work out a way to craft a malicious file of this proprietary format and cause an exploit to reveal itself, allowing arbitrary code execution in the kernel space by escalating privileges through Crowdstrike.

When security is an afterthought rather than a core requirement of your OS ... you get Crowdstrike type mass outages ... will it be the last or just the first of many ... ???

Great vid, thank you. And grats on sanctifying out of bad ways, we are all born wicked but not all of us graduate from it!

Crowdstrike is to blame for the Crowdstrike outage. Why do we always look for other excuses when multi billion dollar companies fail at basic quality controls. It's simply putting scaling and selling before building a quality product/service and in the case of Crowdstrike it couldn't be more obvious. We need to punish this behavior and not act as if they have no accountability because they are on the 'same team'. They did worse damage than most malware, and need to be treated accordingly.

It is nice to finally see someone from the US willing to look deeper than Microsoft's whining about the EU. MS tried to stack the deck in their favour and the EU called them out for it. Forcing someone to play on an even playing field is not forcing them to make their system vulnerable. Good move to call out Daves Garage and others for their skewed perspective. Trying to protect MS while blaming the EU. Apple standing in the background wondering what all the fuss is about is just the killing blow to the MS fanboys. Just insane.

If the kernel is ring 0, and user is ring 3, didn't they leave rings 1 and 2 for drivers and high privilege processes like malware protection, but didn't actually use them? But would this slow down Windows a lot? Remember in NT4 they moved at least part of the graphics drivers into ring 0, to save a lot of context switches.

The outage happened for a simple reason…absent of adequate software dev and release process with a bit of negligence. Would the “content update” (which was full of code!) had been tested, the outage would have been prevented.

Welp, we finally got our Y2K, just 24 years later.

1:20-2:10 *Kernell* have always been a problem. Cause *Rootkits* expanded in those 'Early days'

Hey Marcus, I’ve been getting really interested in learning ethical hacking and was wondering if you could help me out with some tips or guidance on where to start. I’d really appreciate any advice you can share!

brother this dudes speaking a different alien language

good deep dive into the historical problems individuals and businesses have experienced with Microsoft's deficiencies in the design of Windows OS's from the very earliest days of an operating system that was basically designed for individual users/standalone PC"s to its' migration to networks, business and corporate use. Can we blame Microsoft for the disaster of the CrowdStrike global crashing of computer systems? Indirectly, yes - but had CrowdStrike been run by competent and responsible CEO's who make sure their Falcon anti-malware software patches are FULLY TESTED before dumping them on en masse to millions of Windows networked PC's all around the world AND that they would only do such software patches via staged releases to their Falcon software clients, this disaster would not have occurred. If the first point was practiced by CrowdStrike then nothing would have occurred to Windows computers running Falcon software on July 19th and if point 2 had been implemented, the problem would have been quickly reported back to CrowdStrike's HQ and the staged releases to 'next-in-line' recipients of that Falcon software patch would not have gone ahead. So the blame has to be primarily with CrowdStrike's management of software patches distribution and secondly to Microsoft in a much less important sense. CrowdStrike Falcon software runs on Linux and MAC's too but this faulty Falcon software patch only occurred on Windows computers.

KB5028997 and KB5034441 plus Windows allowing the system to be locked from repair is why I’ve been giving CrowdStrike the benefit of the doubt. Microsoft now saying the EU caused Windows to be this far broken is bonkers. Microsoft has had over a decade to get this right and it’s only been getting worse.

The blame is actually on the company IT managers for not having proper policies in place.

I do not want AV on my PC without being able to decide if I want it or not. Especially not at the KERNEL level.

Interesting on the EU judgement

Wow, this is so interesting. I would love to see more content about such low-level techniques as described here.

Nah, this is on croudstrike, not microsoft

7:46 Right now the EU, and other nations, wants backdoor access to people's private encypted communications for law enforcement puposes. Tho some companies, like Apple, argue this would also make it easier for bad actors to expoit - you can't have that stuff just for the good guys without the bad guys finding them as well. The eternal struggle continues.

if Vin Diesel was into computers

Microsoft's IT monopoly is the real ongoing problem, and this incident SHOULD have raised questions about so many industries putting all their IT eggs in one corporate basket-case that the world comes crashing down in a single point of failure, but people couldn't see the Operating System behind the forest of Blue Screens seen all over the planet, 'cause it's all CrowdStrike's fault... :)

Endpoint protection should be Windows functionality, opening kernels for random 3rd party companies is no different than introducing virus into the system. And then nobody is responsible for anything.

Totally agree - it’s totally a Micro$oft fault

Fuzz your interpreters people. Write them in memory safe languages only.

Bro you are my hero

IMO as the details of outage were stated, both Microsoft and Crowdstrike are to blame. MS for not fixing this whole dangerous aproach long time ago and Crowdstrike for omiting best practices in favour of expediency of updates - injecting update thru uncertified file that is processed by kernel driver, instead of changing the driver and having it tested and re-certified by MS lab procedure. PS: As was hinted in several videos on the subject, Crowdstrike is not the only one who does this. I wonder for example, if Windows gaming anticheat technologies are not used to do this "hack" when updating as well. That is ofc just layman outlook. In the end, it will be down to technicalities of law and legal experts.

What's are some examples of a good windows ecurity product that does not require kernel access at all?

@15:20 are you talking about "Daves Garage" ?

I'm sure Crowdstrike insisting that this was not Microsoft's fault is nothing to do with them depending on Microsoft for their market.

Have you addressed the other factor Dave considered comparing Microsoft to Apple? Apple doesn't care about backward compatibility. I suppose that's ok with a smallish cult like user base, but Windows is dedicated to ensuring backward capability and with the relative depth and breadth of the user base compared to Apple that seems to me to be a significant factor.

why anyone used administrator accounts as daily accounts on windows

W Marcus, I just watched the video on his life

Loading "third party" programs into the kernel sounds like a bad method. Microsoft should find another/better way.

This is the first time I hear someone mentioned EU as a party to blame. I know blaming windows is popular but I think the fault is on Crowdstrike you know. the party responsible for pushing an empty file for the sensor to use?

At a fundamental level though is Microsoft legally responsible for crashes caused by 3rd party software? Probably not. You are claiming the 3rd parties had no choice but provide products as necessary? Maybe it just comes down to who caused the crash, would be cloudstrike?

Its clear they need THREE levels, not two.

The tile alone gets a thumbs up from me. I can't so many people are letting MS off the the hook when it's their DAMN house that Crowstrike is Fn up!!! Also glad you mentioned Dave's Garage because he was trying to let MS off the hook.

Not true. OS cannot be the policeman to prevent all security software mistakes from happening. Crowdstrike also affected Linux at April 2024 timeframe. So no OS alone have real fix.

Microsoft did provide the ELAM driver infrastructure as a supported way of hooking into kernel activity (which is what Crowdstrike uses). It's just that Crowdstrike deployed inherently unsafe code, and ran it in an unsafe privileged context. If they ran their configuration code in Ring 3, there would have been no BSoD. If they ran their code in the safety of a sandbox, windows would not have blue screened If they tested their own code properly, their driver would not have BSoDed. If they implemented their automated deployments correctly, the faulty 291 file would never have reached everyone's machines. If they implemented proper memory probing and error checking in their driver, it would never have bug checked. Their subreddit was filled for three years with end users complaining about their driver causing blue screens. If Crowdstrike not ignored those warnings, they would have found their kernel driver was fundamentally broken, would have hired developers to fix it, and we would not have seen the outages that occurred this month. The only place where Microsoft went wrong is granting Crowdstrike their WHQL stamp of approval. Though Microsoft should have seen in their Windows telemetry that CSAgent.sys is not a driver that deserves to bear the WHQL certificate.

Hello! Marcus I wanted to know if, you ever thought about creating a security software for individuals and businesses to help secure their personal online data and financial data against computer hackers, ramsonware and identity thieves. And showing more online how people can block hackers from sending viruses into their computer systems. Offering a free and paid software and videos. Creating simple software and videos that teach beginners how to code in creating technical products like a computer operating system to video games. Take care and thanks.

No. It is CrowdStrike's fault. They pushed out the defective software, not Microsoft or the EU.. It is the EU who forced Microsoft to allow third party software operate at the Kernel level. Microsoft did not want to allow this, they were forced to by the EU. That is why it is argued it is the EU's fault. No. It is CrowdStrike's fault. They pushed out the defective software, nobody else.

The person or company that does a thing is responsible for having done it. The end. No further logic needs to be applied.

I blame society!!!😂

Microsoft blew it. No excuse.

Hey, nice vid. Couldnt think of anyone who could explain this to such a level of quality. 9:34 maybe fix the vouln in your seiling btw.

this is all helpful info but would you mind citing your sources? possibly adding them to the description. it will help with researching. thanks

Liked and Left 😊

What about MUSHROOMS ? 🤔 🤔 🤨

Bro... did you not get your gift card? what's it gonna take, $15?! 🤯

KZbinrs hey smh, in that case I guess many of us are ridiculously over qualified to speak on this but we are not KZbinrs, we still do the work we do 😂

Welp this didn't age well 😭

No I'm going to side with Microsoft that once it let antivruses see signatures in user mode, they have most of what they need, signature and network motioning, not EDR. the fact that they still needed kernel protection from being removed by malware is a fair argument. Ok to be fair I'm a pleb and not an expert, but even if you're right that Microsoft needed to let antiviruses into the kernel, this explanation needs to be clarified and more specific since it doesn't sound convincing to a typical officer worker compared to Dave.

The WHQL driver requirement predates Windows 7 and Vista. The thing where Windows refused to install drivers that weren't WHQL signed, started with the Windows XP operating system (though the WHQL itself is much older than that).

in MY view - the fact that CrowdStike is using a MS Certified driver -- that went thru the certification - NOW we learn that it is ALLOWED to run off and execute code that has NOT been validated as safe - (the driver needs to check that everything that it is going to execute is a valid safe set of code) (I get it their patch was bad we know that even the most basic validation of the crowdStrike file this would have not caused the issue - to ME - Microsoft needs to TIGHTEN the certification process why can a CERTIFIED TO BE SAFE kernal driver - load ANY code to execute without checks that the code is valid - think of an emulator that runs emulation - hmmm, that emulated instruction is not legal - so - I am NOT going to allow you to execute (or TRY to execute code that we know is not valid - THROW an error - sorry bub - that will not fly - so - sure the crwowstrike patch would have received ERROR - messages but NOT caused a BSOD ( which of course is doing exactly what it was designed to do - PROTECTING the system ) I,E. there can be and possibly should be recovery from an attempt to execute an INVALID set of code - instead of throwing up BSOD - additional recovery from that situation migh also be a solution. JTB

Use built-in antivirus, keep admin privileges to ONLY those admins who actually know wtf they are doing. Move on!

Microsoft is just so insecure as to be laughable. I don't understand why they still are so popular. People can take free classes to switch to Apple, and Linux is getting easier to use. Windows is an embarassing joke, Azure sucks for stability and Sharepoint is a curse. I just...hate them a lot actually.

Apple did NOT "remove all security products from the kernal, but gave them all the same capabilitys in user mode"... That is a function of UNIX, the base of MacOS and iOS. Unix OS's and there derivatives are all about keeping as much out of ring zero as possible, as it should be. Frankly, if Microsoft was making a move to do this years ago and was prevented by bureaucracy, I'm not really going to blame Microsoft for this. You make it sound like that they were just kicking them out the kernel arbitrarily, and that malware writer's would have still had an easy time making malware while the antivirus people were left in the dust... However, this is not the case as the planned roll out during this time was to also introduce VBS (Virtualization based security). By the very nature of virtualization, nothing would have any idea about the underlying system, not even malware. It is a very difficult task to break out of a virtual machine, as a lot of the Isolation security is then enforced at the processor/hypervisor level. This technology was then delayed for mass market, and only started sprouting up again until Windows 10 came around. Yes, the antivirus people would have lost a lot of capabilities to hook into the kernel, and install their rootkits to fight the root kits. But so would the malware developers. You make it sound like the malware developers would have still been kicking these things out on a lazy afternoon as if it's business as usual, On the assumption that it was on the same security paradigm. That was simply not the case... Well, that was until the antivirus companies sued, Ironically, putting system security back. Frankly, everything needs to be out of ring zero that doesn't need to be there. Windows got a lot more stable after they kicked a lot of driver functions out of the kernel. Now, if your graphics card or wifi adapter has a hiccups, you are more likely to get a simple flash to black or A blip in your Internet connection as the driver reboots, rather then a BSOD. The key thing here is Linux and Unix, which follow the philosophy of keeping as much as possible out of Ring0 Unless thoroughly tested, was not affected. So yes, the problem was arbitrary things run in ring zero, and anything which prevented the kicking out of this privilege level is to blame. That be the Antivirus vendors and the EU. Yes, you can argue that they had their APIs and. the virus vendors had others, but this is not really any different to how Windows runs anyway. There are a lot of API's that are not exposed to developers, and are for the internal turnings of the window system. You also have to consider the conflict of interest here. Defending the anti virus companies as if they were the poor pitiful victim to Microsoft's locking down of their products is actually quite amusing. Just like how a drug company does not want to make a cure, but would rather make a treatment. An antivirus company would not want there to be a cure to a security issue. They want to be the treatment. Maybe it is that they sued because they knew that this move to harden up Window security would severely impact their business, As the skill level to craft successful malware would have risen significantly making it less prevalent. It would also mean that the caliber of engineers they would need to hire to get there anti malware to brake out of the VM and into the base kernel, Without causing any problems, would have also of risen. This would of Increased their expenditure on wages for such talented teams. The fact is, when you're operating on ring zero, There be dragons... If your software requires entering the land of Dragons, Then you better respect and come prepared For evading them. Crowd strike did not do so, and managed to send an update out which was nothing but zeros... All they had to do was run the update to test targets before going live. They evidently didn't do this and through caution to the wind, and well... The Dragons came. On Linux and Unix, if you enter the realm of Dragons, and mess up so bad you caused your system to fry. Linux isn't blamed... You are blamed... You entered the realm of Dragons and was not prepared. You Touched what you should not have touched... The kernel Developer isn't blamed for not making it friendly and easy for you by giving you a nice tamed dragon to pet. The blame lies entirely on those who entered the realm of dragons through pure hubris, and did not respect the land of which they steped.

man, MAC users on twitter/X must be embarrass and delete their tweet by now. So quick to jump on the wagon shitting on MS

the kernel is supposed to block unprivileged access from the beginning. to do otherwise is to write a bad kernel.