Email or username:

Password:

Forgot your password?
Top-level
hanno

Their products are flawed not just because they're badly implemented - which they are - but because they are based on a stupid idea. The idea that you improve your IT security by adding more complexity. Doing the opposite is the right approach. But you can't sell that as a product. (You can still sell it, but it's not something you just plug into your network and get security magically.)

26 comments
hanno

Honestly, if we could get that one basic message out, that if their IT security is based on more complexity, not less, that they're doing it wrong, maybe we could start putting crap companies like crowdstrike or citrix out of business.

hanno

I'm mentioning citrix specifically because it really boggles my mind how they can be still in business. In case you don't remember, there were countless gov entities, hospitals, and what not, hacked in 2020, due to a really epic fuckup by citrix. It was a flaw they knew about, and hadn't provided a fix, only an unreliable workaround that sometimes didn't work.

hanno

Actually, the value of Citrix rose after that: marketscreener.com/quote/stock These things have no consequences for these companies, it's a completely broken market. I'm reading news that crowdstrike's value dropped, I have doubts that this will be permanent.

Bálint Szilakszi

@hanno not if major news orgs don’t even get the company name right:

The financial times front page blaming the IT outage on Microsoft
LinuxUserGD

@szbalint @hanno Seems to be technically right because the BSOD is a Microsoft Windows outage

Ash_Crow

@HugeGameArtGD @szbalint @hanno it's still caused by a third party software. Had they broken their Linux updater instead of the Windows one, we would get kernel error screens.

LinuxUserGD

@Ash_Crow @szbalint @hanno
The title is misleading, though Cloudstrike is mentioned later in the article.
"The outage has been blamed on a security update from US group CrowdStrike, which caused a problem with Microsoft’s Windows."
archive.is/20240719080823/http

MarvinFreeman

@Ash_Crow @HugeGameArtGD @szbalint @hanno Serious question: Why is #cloudstrike deployed almost everywhere with windows? Is it pushed by MS? Or recommended? Or packaged with MS products?

Ash_Crow

@horse @MarvinFreeman @HugeGameArtGD @szbalint @hanno It's also not deployed everywhere. It seems like it is used by "nearly 60% of Fortune 500 companies and more than half of the Fortune 1,000 ", per en.wikipedia.org/wiki/2024_Cro

👻👻 Flippin' spook, Tucker!

@MarvinFreeman @Ash_Crow @HugeGameArtGD @szbalint @hanno It's not by any means deployed everywhere with WIndows. They have almost no market impact in the consumer space, for example, which is why millions of people turned on their home Windows machines today and had no problems at all.

But in the business world, there are only a few companies offering that sort of product. So let's say they have a (guessing) 10% market share -- that means 10% of businesses will be hit by the problem. That's a lot of high-visibility outages.

@MarvinFreeman @Ash_Crow @HugeGameArtGD @szbalint @hanno It's not by any means deployed everywhere with WIndows. They have almost no market impact in the consumer space, for example, which is why millions of people turned on their home Windows machines today and had no problems at all.

But in the business world, there are only a few companies offering that sort of product. So let's say they have a (guessing) 10% market share -- that means 10% of businesses will be hit by the problem. That's a lot...

Felix Dreissig

@hanno As long as everyone is affected, nobody did much wrong. 🤷‍♂️

Dan Veditz

@F30 @hanno

As people said last century, "Nobody gets fired for buying IBM."

Adam Dalliance

@hanno Thousands of investors have now heard of CrowdStrike who had never heard of it before, and the stock is at 20% discount!

Steve Canon

@hanno shows dumb money that doesn't understand what they do how widely used their product is.

Charles U. Farley

@hanno Having worked in tech for 30 years and for multiple security companies, I 100% agree. Google is the only one I've worked for that comes close to being the exception, and I think it's just because their security expertise is hard won in keeping *themselves* secure.

VanillaSkunk

@hanno For one... I have a ton of Dell thin clients that... just do Citrix connections and nothing else. That's their factory design.

You can't just stop when it means deleting a bunch of computer terminals too.

Felix Dreissig

@hanno I‘m torn on this one:
If you wanna build secure systems from first principles – definitely true.
In a real-world IT landscape with all its existing complexities and the everday, unsophisticated threats – I can see a case for solutions such as endpoint antivirus. Which leaves us with their subpar implementation quality.

Miah Johnson

@F30 @hanno I would believe Endpoint Antivirus was beneficial if I didn't see a news report every week about some company (who you know is using endpoint protection of some kind) falling to ransomware.

Miah Johnson

@F30 @hanno The only thing that endpoint security is consistently good at is making auditors happy.

Rich Felker

@F30 @hanno It's still wrong. It's being used because admins don't understand how to use filesystem permissions and group policy to prevent users from running virus infested shit.

Darwin Woodka

@F30 @hanno If governments had let us build secure computers right in the first place we wouldn't even have these problems tho

Sandor Szücs

@hanno it is really interesting how many people including engineers are thinking that a blackbox full of magic promises will do „security“ things for you.

Mot

@hanno This is the reason why a lot of people in IT call these „security“ products and practices „snake oil“ - because they are as esoteric, useless and expensive as snake oil that was sold by charlatans in the Middle Ages.

cynicalsecurity :cm_2:

@hanno Byzantine designs are marketable, simple reliable, dependable (and, hence, secure) designs are not.

Go Up