Gregory's ServerLet's cut the bullshit and spell out a few things. The IT security industry is about as trustworthy as the food supplement and vitamin industry, but somehow they escaped the same reputation. Their products are overwhelmingly based on flawed ideas, and the quality of their software is exceptionally bad. And while not everyone will agree with the harshness of my words, I'll say this: Essentially everyone in IT security who knows anything in principle knows this.
|
38 comments
Honestly, if we could get that one basic message out, that if their IT security is based on more complexity, not less, that they're doing it wrong, maybe we could start putting crap companies like crowdstrike or citrix out of business. I'm mentioning citrix specifically because it really boggles my mind how they can be still in business. In case you don't remember, there were countless gov entities, hospitals, and what not, hacked in 2020, due to a really epic fuckup by citrix. It was a flaw they knew about, and hadn't provided a fix, only an unreliable workaround that sometimes didn't work. Actually, the value of Citrix rose after that: https://www.marketscreener.com/quote/stock/CITRIX-SYSTEMS-INC-4863/ These things have no consequences for these companies, it's a completely broken market. I'm reading news that crowdstrike's value dropped, I have doubts that this will be permanent.   @HugeGameArtGD @szbalint @hanno it's still caused by a third party software. Had they broken their Linux updater instead of the Windows one, we would get kernel error screens.  @Ash_Crow @szbalint @hanno @Ash_Crow @HugeGameArtGD @szbalint @hanno Serious question: Why is #cloudstrike deployed almost everywhere with windows? Is it pushed by MS? Or recommended? Or packaged with MS products? @MarvinFreeman @Ash_Crow @HugeGameArtGD @szbalint @hanno It’s not packaged with or pushed by MS; it’s just the best EDR. @horse @MarvinFreeman @HugeGameArtGD @szbalint @hanno It's also not deployed everywhere. It seems like it is used by "nearly 60% of Fortune 500 companies and more than half of the Fortune 1,000 ", per https://en.wikipedia.org/wiki/2024_CrowdStrike_incident#Impact  @hanno Thousands of investors have now heard of CrowdStrike who had never heard of it before, and the stock is at 20% discount!  @hanno shows dumb money that doesn't understand what they do how widely used their product is.  @hanno Having worked in tech for 30 years and for multiple security companies, I 100% agree. Google is the only one I've worked for that comes close to being the exception, and I think it's just because their security expertise is hard won in keeping *themselves* secure.  @hanno For one... I have a ton of Dell thin clients that... just do Citrix connections and nothing else. That's their factory design. You can't just stop when it means deleting a bunch of computer terminals too. @hanno I‘m torn on this one:    @hanno it is really interesting how many people including engineers are thinking that a blackbox full of magic promises will do „security“ things for you. @hanno Byzantine designs are marketable, simple reliable, dependable (and, hence, secure) designs are not.  @hanno Sadly, that is a pretty theoretical approach. How do you handle the ever-increasing complexity brought by the business side of your company and their requirements, in a landscape of an operating system and cloud services that also increase in complexity, and that the vendor that has you by the balls forces upon you? It is a overarching IT architecture issue...  @hanno And yet organisations outsource core Availability Management drivers without regards to Change Management and Contingency Planning. Perhaps if executive bonuses were linked to service availability and performance things would improve.  @hanno Yep.Security should be present by design from the start, not bolted on by a third-party utility at a later date. @StephenBoylett @hanno absolutely, but governments wouldn't let us build computer systems that way so oh well  @hanno It's sort of the health care industry approach. You can't sell more medications if you cure diseases, right? So why would anyone work on a pill that you taken once and cures something? @hanno Also, the people. At some point in the early 2000s we collectively decided that foxes were *exactly* the people we wanted to guard the henhouse.  |
Their products are flawed not just because they're badly implemented - which they are - but because they are based on a stupid idea. The idea that you improve your IT security by adding more complexity. Doing the opposite is the right approach. But you can't sell that as a product. (You can still sell it, but it's not something you just plug into your network and get security magically.)