Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Microsoft Windows

Some Def Con Attendees Forgive Crowdstrike - and Some Blame Microsoft Windows (techcrunch.com) 93

Fortune reports that Crowdstrike "is enjoying a moment of strange cultural cachet at the annual Black Hat security conference, as throngs of visitors flock to its booth to snap selfies and load up on branded company shirts and other swag." (Some attendees "collectively shrugged at the idea that Crowdstrike could be blamed for a problem with a routine update that could happen to any of the security companies deeply intertwined with Microsoft Windows.") Others pointed out that Microsoft should take their fair share of the blame for the outage, which many say was caused by the design of Windows in its core architecture that leads to malware, spyware and driver instability. "Microsoft should not be giving any third party that level of access," said Eric O'Neill, a cybersecurity expert, attorney and former FBI operative. "Microsoft will complain, well, it's just the way that the technology works, or licensing works, but that's bullshit, because this same problem didn't affect Linux or Mac. And Crowdstrike caught it super-early."
Their article notes that Crowdstrike is one of this year's top sponsors of the conference. Despite its recent missteps, Crowdstrike had one of the biggest booths, notes TechCrunch, and "As soon as the doors opened, dozens of attendees started lining up." They were not all there to ask tough questions, but to pick up T-shirts and action figures made by the company to represent some of the nation-state and cybercriminal grups it tracks, such as Scattered Spider, an extortion racket allegedly behind last year's MGM Resorts and Okta cyberattacks; and Aquatic Panda, a China-linked espionage group.

"We're here to give you free stuff," a CrowdStrike employee told people gathered around a big screen where employees would later give demos. A conference attendee looked visibly surprised. "I just thought it would be dead, honestly. I thought it would be slower over there. But obviously, people are still fans, right?"

For CrowdStrike at Black Hat, there was an element of business as usual, despite its global IT outage that caused widespread disruption and delays for days — and even weeks for some customers. The conference came at the same time as CrowdStrike released its root cause analysis that explained what happened the day of the outage. In short, CrowdStrike conceded that it messed up but said it's taken steps to prevent the same incident happening again. And some cybersecurity professionals attending Black Hat appeared ready to give the company a second chance....

TechCrunch spoke to more than a dozen conference attendees who visited the CrowdStrike booth. More than half of attendees we spoke with expressed a positive view of the company following the outage. "Does it lower my opinion of their ability to be a leading-edge security company? I don't think so," said a U.S. government employee, who said he uses CrowdStrike every day.

Although TechCrunch does note that one engineer told his parent company they might consider Crowdstrike competitor Sophos...
This discussion has been archived. No new comments can be posted.

Some Def Con Attendees Forgive Crowdstrike - and Some Blame Microsoft Windows

Comments Filter:
  • by phantomfive ( 622387 ) on Sunday August 11, 2024 @02:42AM (#64696024) Journal
    99% of people at BlackHat are there because a corporation paid them to be there. In most cases, it's a "cyber" security corporation. Of course people running the same kind of operation as Crowdstrike feel sorry for Crowdstrike.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      99% of people at BlackHat are there because a corporation paid them to be there. In most cases, it's a "cyber" security corporation. Of course people running the same kind of operation as Crowdstrike feel sorry for Crowdstrike.

      Paid sponsors? Most “cyber” security companies are in business because of Microsoft’s tradition with “security”.

      The irony could be easily lost if not for being so bitch-slap worthy.

    • by vlad30 ( 44644 )
      On the other hand if Microsoft had better security built into Windows crowdstrike and its ilk wouldn't exist
  • Microsoft has been incompetent and supplying insecure software for almost half a century.

    Crowdstrike is incompetent too and carelessly fucked up critical bootup files.

    But here's the clincher: both Microsoft and Crowdsource need to exist and both need to be incompetent for the misery the Crowdstrike software unleashed to happen at all. One can't exist without the other or without the other's incompetence: Crowdstrike's very raison d'etre and selling point is to compensate for Microsoft's incompetence. They o

    • Re:I blame both (Score:4, Interesting)

      by gweihir ( 88907 ) on Sunday August 11, 2024 @07:16AM (#64696202)

      I completely agree. Well said.

      Incidentally, when (not if) we get real product liability (as has happened in _all_ other engineering disciplines eventually), neither Microsoft nor Cloudstrike will exist much longer

      • by Bongo ( 13261 )

        I completely agree. Well said.

        Incidentally, when (not if) we get real product liability (as has happened in _all_ other engineering disciplines eventually), neither Microsoft nor Cloudstrike will exist much longer

        I agree, liability is foundational. But, in 1986 the government gave vaccine manufacturers quite a bit of immunity, because they were getting sued. (That is not medical advice, that's just what happened.) I would guess that the big players in the IT industry only need to argue that writing bug free code is impossible -- and that includes that it's impossible to devise enough tests to find every bug -- therefore, there will always be damages -- but if you allow millions of people and thousands of companies t

    • Yup - A low quality OS plus a low quality security layer, does not magically make a high quality system.
    • by Creepy ( 93888 )

      Crowdstrike failed to actually test their patch, which tells me they have no QA. As a former QA worker, I've seen serious f*ups, but none that actually reached customers. Microsoft OTOH, has released buggy software for years, but nothing OS crippling that I know of.

      • They've released some Windows patches in the last couple of years that broke a portion of systems. Nothing on this scale, though. But MS has also famously slashed their QA.
        • Re: I blame both (Score:4, Insightful)

          by Creepy ( 93888 ) on Sunday August 11, 2024 @05:43PM (#64697258) Journal

          I have two cousins that used to do QA for them in Seattle, and while they slashed QA in the US, they hired in other countries like India, China and Romania where labor was 1/3 to 1/4 the cost (no idea what it is now, that was like 2005). I only kept a job in the US for a long time because we were US government contractors, but even that job went to developers because out of 10 people, who do you cut first? I've seen that product deteriorate and wrote about 50 bugs because I now support it - number fixed? 3. They recommend we upgrade to the latest and see if the bugs still exist (I have zero control over that).

      • This CrowdStrike bug specifically could not have happened on Linux because of guard pages and similar protections. The problem enabling it in Windows is there are many things that expect to be able to go out of bounds and not get killed off.

  • by khchung ( 462899 ) on Sunday August 11, 2024 @02:52AM (#64696030) Journal

    This so fits the stereotype of what most people think of cybersecurity: "security == inconvenience"

    The fact that supposed security experts would think so lightly of a piece of security software bringing down the systems it was supposed to protect shows how abyssal the state of the industry is. Availability was supposed to be one of the aim of security, and that seemed to be lost somewhere in all the buzzwords.

    • by phantomfive ( 622387 ) on Sunday August 11, 2024 @03:38AM (#64696066) Journal
      Note that most of the people interviewed were not actually programmers.
    • by NettiWelho ( 1147351 ) on Sunday August 11, 2024 @04:23AM (#64696080)

      The fact that supposed security experts would think so lightly of a piece of security software bringing down the systems it was supposed to protect shows how abyssal the state of the industry is. Availability was supposed to be one of the aim of security

      bluescreens force system to shut down to prevent running with corrupted state, to protect from further damage.

      • Availability was supposed to be one of the aim of security

        bluescreens force system to shut down to prevent running with corrupted state, to protect from further damage.

        You're both right. The BSOD is better than running insecure. But you know what's better than a BSOD? Security software that checks its own input to make sure that it makes sense before accessing memory locations based on that input. This isn't security 101 because they didn't even get that far, this is programming 101. You have to check your input just to protect from data corruption, let alone malice or hey, what about simple incompetence?

        Crowdstrike isn't even competent at programming, what makes anyone i

        • by Tablizer ( 95088 )

          But you know what's better than a BSOD? Security software that checks its own input to make sure that it makes sense before accessing memory locations based on that input.

          The problem as I understand it is that a good security system allegedly needs Turing-Complete scripts that can be added during run-time. But because they run at the root level, they need to run fast. Validation of memory and values allegedly slows them down too much.

          I'm not sure if they can use compiled DLL-like things that are checked vi

      • by khchung ( 462899 )

        The fact that supposed security experts would think so lightly of a piece of security software bringing down the systems it was supposed to protect shows how abyssal the state of the industry is. Availability was supposed to be one of the aim of security

        bluescreens force system to shut down to prevent running with corrupted state, to protect from further damage.

        Forgivable if the system was under attack and CrowdStrike shutdown the machine as a defensive measure.

        Taking down the system with a routine maintenance is more like a body checkup that knocked the patient into coma.

      • by Tablizer ( 95088 )

        bluescreens force system to shut down to prevent running with corrupted state, to protect from further damage.

        We need Yellow Screen of Second Chance ;-)

    • by Jahta ( 1141213 )

      This so fits the stereotype of what most people think of cybersecurity: "security == inconvenience"

      Agreed. Too many people fail to recognise that security is a spectrum with "Secure As Possible" at one end, and "Convenient As Possible" at the other end. The challenge is to strike a sane balance between the two, based on your particular threat model. At, or near, either extreme is usually not a good place to be.

      • by gweihir ( 88907 )

        Not quite, the threat model is only part of it. What you actually need to do is competent IT risk management and that is much more than just a threat model.

        Anyways, having fundamentally incompetent coders (as Crowdstrike was clearly using) implement new features in system components that can make a system unbootable and then fail to adequate test and review these changes, is clearly a balance that will work only for "toy" systems.

        • by Jahta ( 1141213 )

          Not quite, the threat model is only part of it. What you actually need to do is competent IT risk management and that is much more than just a threat model.

          True. I was using "threat model" as a shorthand for "well thought out security policy and management". The model is just the foundation; you have to implement practical solutions on top of it.

      • Military IT motto: We are not happy until you are not happy.
      • by hjf ( 703092 )

        The "Cybersecurity" team at my company has always been in the "as secure as possible, and we decide how you do things. and nothing you can say will change our minds. we have one policy for everyone, and we won't change it for anyone".

        this also affects developer machines. We were recently notified that PowerShell access will be removed entirely, and activated in a case-by-case basis only and only if cybersecurity considers the justification for it good enough (they won't. they don't want to deal with anythin

        • by Bongo ( 13261 )

          The "Cybersecurity" team at my company has always been in the "as secure as possible, and we decide how you do things. and nothing you can say will change our minds. we have one policy for everyone, and we won't change it for anyone".

          this also affects developer machines. We were recently notified that PowerShell access will be removed entirely...

          I get the impression that there's something about cyber security which makes space for this kind of mindless rule making. We have a list of controls and our job is to make everyone follow the controls, like. It's like you have to wear a space suit and a deep diving suit and steel toe capped boots and a safety helmet and strap a defibrillator to yourself and have hazmat suit and a biological warfare suit, all at the same time.

          I suspect the reason is that children can learn to understand rules in a simple way

          • I certainly wouldn't dismiss the possibility of just plain personality defects; but what can happen is that "Cybersecurity" gets handed the responsibility for there to be A Policy (either formally, because someone wants to tick all the boxes to get some insurance or an ISO-something certification; or informally in the sense that any incidents that occur get someone in "Cybersecurity" a dressing down); without there necessarily being either a corresponding "work with cybersecurity so your needs don't just bu
            • by Bongo ( 13261 )

              "Cybersecurity" gets handed the responsibility ... someone wants to tick all the boxes

              merry band of special projects types who wants more or less complete exemption

              'cybersecurity' responsible for risks other people incur

              'cybersecurity' entities are often spooked by the most alarming activities of people analogous to you

              unusable on headless Linux systems ... we're just required to ensure that anyone making those sorts of connections is using either interactive MFA or certificates

              IT discovers that they are d

    • by gweihir ( 88907 )

      The fact that supposed security experts would think so lightly of a piece of security software bringing down the systems it was supposed to protect shows how abyssal the state of the industry is. Availability was supposed to be one of the aim of security, and that seemed to be lost somewhere in all the buzzwords.

      I completely agree. This was an abysmal failure, which Microsoft set up (due to low security and bad boot processes on Windows) and Crowdstrike triggered. Nothing of this is the slightest bit acceptable and should open up both enterprises for shared unlimited liability. I feel deeply insulted that people that apparently think not much has happened are calling themselves "security experts". They clearly are anything but.

    • While both Crowdstrike and Microsoft played a part, it was Crowdstrike that toppled the first domino. They need to own this. You can fuck up any OS if you have low level access and Anti-virus systems need low level access to stop boot viruses. The real blame should go to whoever released the patch without doing enough testing and just as importantly, whoever decided to roll it out on a Friday and all at once. And just because Linux didn't suffer a boot loop doesn't mean Linux is rock solid. I know, I u

    • I certainly wouldn't argue that the 'security' industry is healthy; but it's big enough that it's probably a mistake to read any one person's areas of interest as indicative of the entire industry.

      In the case of Availability; part of that has just been folded into generic "IT"/"Operations", with just being real disciplined and careful about backups on the low end in terms of technical hotshot status; and SREs doing clever things with monitoring and orchestration on the medium/high end; but if you want to
    • by Bongo ( 13261 )

      This so fits the stereotype of what most people think of cybersecurity: "security == inconvenience"

      The fact that supposed security experts would think so lightly of a piece of security software bringing down the systems it was supposed to protect shows how abyssal the state of the industry is. Availability was supposed to be one of the aim of security, and that seemed to be lost somewhere in all the buzzwords.

      There's a third factor:

      Complexity is the enemy of both security and convenience.

      To borrow the slogan [wikipedia.org]

      The network is the [thousands of other people's] computer [who all have their own incentives which don't necessarily align with your own].

      If a system is so critical that it must have deeply invasive security software which is getting live updates, because someone might click a bad link, then why is that system being used for anything critical? Why aren't all these "critical" systems being isolated? Why is eve

  • That RCA is 99% pure bulshittery. Entertaining review of the CrowdStrike RCA [youtube.com]
  • by ndykman ( 659315 ) on Sunday August 11, 2024 @05:03AM (#64696098)

    CrowdStrike didn't have process in which before they released any updates to production, they would just release them to a actual canary environment to make sure it didn't catch all the machines on fire. Which you need to do when you have kernel code.

    Not to mention that the driver seems to be poorly written with a ton of sanity checks missing.

    Finally, Microsoft did propose an API to allow security vendors what they needed in user space. The EU killed it as anti-competitive because MS wouldn't also have to use it, but continue to use kernel drivers, completely ignoring that user-mode code is way easier to write, making it easier for new and smaller business to compete and nothing MS did would prevent you from using kernel drivers if you wanted to.

    • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Sunday August 11, 2024 @06:05AM (#64696138) Homepage Journal

      Not to mention that the driver seems to be poorly written with a ton of sanity checks missing.

      To me, this is the real root of the who-to-blame map. You can put a little bit on Microsoft for just being bad at everything, but ultimately Crowdstrike didn't check their input and that makes them fundamentally incompetent. They have no business being allowed to manage anything.

      Microsoft did propose an API to allow security vendors what they needed in user space. The EU killed it as anti-competitive because MS wouldn't also have to use it

      A more accurate way to write that is that Microsoft didn't want to use it. If Microsoft made that the only way to do those things and then went on to use that mechanism themselves so that their competing products didn't have an anticompetitive advantage, they could have done so. But that's not what they wanted to do. Now here we are, at peak stupid — incompetent, insecure OS gets taken down expensively by incompetent, inadequate security management software.

      • by gweihir ( 88907 )

        Now here we are, at peak stupid — incompetent, insecure OS gets taken down expensively by incompetent, inadequate security management software.

        Not quite complete. The missing part is that incompetent operators first select the grossly insecure OS, then see massive damage done by the incompetently written security software ... and learn apparently absolutely nothing from that disaster.

        The usual damage level where government engineering regulation stepped in hard in the past is a few hundred people dead. Since the customers are clearly too stupid to act proactively, I guess we will see that one happen here as well. What a shame.

    • except MS anti-virus/EDR products were NOT bypassing the restrictions that they were going to enforce for kernel access. if I recall correctly McAfee was making the point that they probably wouldn't adhere to the restrcitions in future and leverage it as an anti-competitive advantage. Knowing MS that might be very true, but it technically wasn't the case when they proposed it.
      • by gweihir ( 88907 )

        Well, then MS could simply have given a respective _credible_ assurance, one with real penalties and regular independent verification they pay for (which would have been peanuts). They chose not to and their history spoke not in their favor.

        This is 100% on MS. The EU is not to blame at all. Unless you think having actually working anti-trust law is a problem?

    • by gweihir ( 88907 )

      Finally, Microsoft did propose an API to allow security vendors what they needed in user space. The EU killed it as anti-competitive because MS wouldn't also have to use it, but continue to use kernel drivers, completely ignoring that user-mode code is way easier to write, making it easier for new and smaller business to compete and nothing MS did would prevent you from using kernel drivers if you wanted to.

      That is a direct lie. The EU "killed" nothing. The only requirement was equal access for 3rd party tools and MS tools. MS chose to not limit their own tools to that API and hence decided to open everything. You do not seem to understand how anti-trust law works and what it purpose is.

    • We're conflating two things - providing a usermode API for security vendors and locking down the kernel. It seems like the EU killed locking down the kernel to only MS. MS can still provide a functional usermode API for security vendors and let customers choose.
  • So they will be lobbying the EU antitrust lawmakers to reverse their rules that require it? I suspect Microsoft would love to lock the kernel down like their smaller competitors.
    • and they should, as long as APIs are provided to be able to perform most of the protection tasks but from user space not kernel space. And: not bypass the restrictions themselves to provide products that don't need to play with the same rules.
    • by gweihir ( 88907 )

      The EU never required it. All MS would have had to do was make it credible that their own security software would not get special access. They can still do that.

      The process here is that the EU finds illegal vendor behavior. Then the vendor is expected to make a proposal, which gets reviewed by EU experts and the competitors that have been wronged. The only acceptable proposal MS made was kernel-level access for the competitors and that one got accepted. They could have proposed other things. Simply promisin

      • Microsoft has kernel API's which have sufficient power to blow up Windows. They are using said API's for Microsoft products (one of which is Windows), but that is considered anti-competitive, so EU requires that all vendors get access to the same API's. Could they have developed some framework which would move things into userspace, and wrap each API is some safety wrapper? Sure. However, this framework itself would be a Microsoft product calling the kernel APIs, which again would violate the EU's antitrust
        • by gweihir ( 88907 )

          That is really just complete bullshit. You need to stop hallucinating or you will never understand how things actually work.

  • Crowdstrike is paying left and right in the hope they will minimize consequences of their mess. The press should not help them with this.

    On the other hand, as a declared Microsoft hater, I would not condemn Microsoft for the level of access they allowed, level of access is granted by the users, OS is expected to do what the user says. And users (sysadmins, management) were guilty for putting trust in Microsoft and Crowdstrike for anything mission critical.

    • by gweihir ( 88907 )

      Microsoft is still guilty of setting the whole mess up and not only by the interface design, but by the general bad state of Windows security and a flawed boot process.

      Yes, MS users are stupid. But human engineering history amply shows that customers generally cannot judge product risks and quality competently. Hence things only ever got better with product liability and/or regulation. Well, I guess we will need a few 100 people dead next time. Maybe then things will change. In other engineering fields, tha

    • Microsoft does a lot to CREATE DEMAND for security products. They never thought much about security or gave it priority except when it is support or damage control and as always, PR.

      We might not have the CPU mess we do right now with remote management and trusted boot etc. if MS wasn't pushing things around in that space. Now we've got Pottering messing with Linux who works for MS...

  • Of course they aren't going to bite the hand that feeds them. That said, I do think Microsoft owns at least a hefty share of the blame
  • Fortune reports that Crowdstrike "is enjoying a moment of strange cultural cachet at the annual Black Hat security conference, as throngs of visitors flock to its booth to snap selfies and load up on branded company shirts and other swag"

    If I were there, I would too. It's potentially a "do you remember when" moment, as in "do you remember when Crowdstrike destroyed Delta Airlines" or for that matter, "do you remember when there used to be a company called Crowdstrike".

    (Some attendees "collectively shrugged at the idea that Crowdstrike could be blamed for a problem with a routine update that could happen to any of the security companies deeply intertwined with Microsoft Windows.")

    Yes, some attendees know it could happen to them, because their software also sucks and also runs on Windows. They don't want to talk too much just in case.

  • If not crowdstrike, if not microsoft, the users then shoulder most of the blame? I guess some inventive tech person could have commited to testing the environment on their own time then publish the results...? I'm being sarcastic btw ./

  • collecting stickers and hoping not to get outed as they are all feds.

  • by Anonymous Coward
    It's Def Con One
    Say, what's the time?
    Just get me some
    Big Mac fries to go.

    Ground floor, coming up!
  • "Microsoft will complain, well, it's just the way that the technology works, or licensing works, but that's bullshit, because this same problem didn't affect Linux or Mac."

    Well, no. Crowdstrike actually managed to fuck this up on Linux earlier in the year, too. This guy has no clue and hasn't been reading the news.

    Blaming Microsoft for this is as much of a stretch as blaming Intel or AMD for the fact that their CPUs executed the buggy code CrowdStrike shipped.

    Not damaging the opinion these people have of Cr
  • Comment removed based on user account deletion
  • by SuperDre ( 982372 ) on Sunday August 11, 2024 @10:13AM (#64696448) Homepage
    This could easily have happened to Linux or Mac. Let's not forget the Crowdstrike linux problems only a few weeks prior. But any lowlevel driver which has access to the kernel can cause such a problem, even on Linux. I've seen Linux also crash due to crappy lowlevel drivers.
  • Microsoft security still can't walk. When you compromise security for every occasion, you cannot expect security.
  • What's needed is a Manhattan Project [stanford.edu]. To design a platform that can't be compromised by feeding it a amalicous script or opening an email attachment or clicking on a malicous WebLink.

    The WinTEL model obviously showing its age and despite masses of sticking-plaster such as CrowdStrike, can never measure up to the task. Since a lot of peoples jobs depend on not knowing this - nothing is going to change.
  • "but that's bullshit, because this same problem didn't affect Linux or Mac"

    No, THAT claim is bullshit, because exactly this kind of problem has happened before both on Linux and Mac, both precisely because the exactly same level of access was given to the software that had the flaw.

  • There. Fixed the title for you.

  • >> "And Crowdstrike caught it super-early."

    Crowdstrike caught what super-early? Definitely not the bug. :-D

    I remember first reading Crowdstrike's explanation on The Register. That Reg article was needed because Crowdstrike's explanation was behind a paywall -- some sort of 'authenticated-corporate-account-only' page. So they were certainly not ready to mitigate the chaos they caused the world -- millions of mandays were lost, perhaps tens of millions.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...