@ainmosni do you really think that there are no orgs using #Crowdstrike Falcon and other tools on their fleets of developer machines running #Linux?

there are many. and that kernel #rootkit module watches EVERYTHING. sometimes it also locks up the entire machine from resource abuse.

@ainmosni exactly. Software of this class needs to be seen as giving the vendor unreviewed root on every system you own. If your CIO isn’t comfortable with it in those terms, a different model is needed.

@ainmosni

I've already collected one anecdotal response.

https://mastodonapp.uk/@JdeBP/112813114562289051

@ainmosni https://mastodon.social/@jzb/112813445627886133 happened to linux as well

@ainmosni Not a Linux problem, but absolutely a failure of the proprietary and software as a service models. If this were an open, in-tree Linux driver, it would likely go through a much more robust review and test cycle as well as not be simultaneously pushed to every Linux system in existence using it. It would be filtered through multiple distros' testing and release processes which would make discovery of the bug much more likely.

@ainmosni I don't think it's totally a "Modern Microsoft problem"

But I think there's a case that at least partially the fault of late 90s/early 2000s Microsoft, who were more than happy enough to ignore security until it became too big a problem to ignore, creating the environment for a swathe of slightly dodgy AV vendors to grow into?

@ainmosni Cant get hit by dodgy updates if you keep forgetting to update 🧠

@ainmosni I spent 40 years in the IT industry including 10 as an industry analyst. I'm well versed in modern platforms and CI/CD. Yet, this suprises me. Given how widespread this is, it seems that cursory testing on the part of CrowdStrike, it's customers, and Microsoft should have caught this.
Much of tbe blame is the fire and forget mentality of cloud services. Customers of these services need to test before rolling out anything new and not rely on the vendors for testing

@ainmosni take off; they're too busy hammering us with useless tenable scans and misinterpreting the results ;o)

@ainmosni Only if the NFT is limited edition!

@ainmosni True, but having my personal PC on Linux saved my ass this morning as I had a 830 AM new client pitch/demo, and came into my home office to a BSOD on my work laptop. I was able to log into Office 365 and Teams from Linux and do the meeting with no issues.

@ainmosni This post for some reason reminds me of a scene in the movie Whatever Happened to Baby Jane where Bette Davis exclaims "But you are, Blanche! You are in that chair!"

@ainmosni@berlin.social https://github.com/MrMEEE/bumblebee-Old-and-abbandoned/issues/123 ​:harold:​

@ainmosni truth. I already got screwed on ubuntu 22 lts by updated nvidia drivers that would crash randomly, freezing my display and making it impossible to recover cleanly.

@ainmosni the way tooany permissions problem you mentioned - is a Microsoft problem

It's the way Windows designed it to work, to promote Defender and make it unnecessary more difficult for commercial products, and mostly impossible for open source - to tackle the functionality of Defender on Windows

Perspective of shared responsibility, of course - just to be clear, the permissions problem is not really a choice of CrowdStrike

@ainmosni I've had this exact thing happen with CrowdStrike Falcon on a couple of Linux servers last year, where a buggy CS update caused their kernel module to randomly corrupt kernel memory, resulting in occasional crashes.

So yes, not an OS problem, but a problem with this particular class of security software that has its tendrils all along the spine of an operating system.

@ainmosni it's not like Crowdstrike hasn't ruined a couple of my weeks as a guy who is only responsible for supporting Linux installs

@ainmosni similar things have happened.

such as when debian pushed an update of their zfs but as the 2.x version on 4.x kernel that can only work with 5.x kernel, which trashed zfs filesystems.

@ainmosni

👆THIS

@ainmosni
Raises hand in "Jia Tan".
#SSHBackdoor

@ainmosni it partly is a Windows problem. The kernel shouldn't crap itself at boot when it encounters a corrupt unsigned binary excuse for a third party sys file.

@ainmosni Also lots of people conveniently forgetting the recent xz fiasco >.>

@ainmosni Ubuntu and their now cultish desire to snap the whole OS. i have to use snap if i want to use LXC/LXD and it gives me a lot of pause using it extensively because i can't control the auto-update of snaps in the background. everytime i think i can, they push something onto the system that undoes my settings and they start auto-updating without my control. i hate it.

@ainmosni

It is also a too much centralization problem.

If there were fewer near monopolies in tech, it would be harder for one bug to cause global outages.

@ainmosni
When people say this is not likely to happen in Linux, they don't just mean "it's not possible to put faulty code in the Linux kernel as an update" or "it's not possible to force automatic updates in Linux", but they mean instead "if it happened, it won't happen in all the Linux world like Windows", so it would be almost unnoticeable, why? (continued in the next comment)

@ainmosni
Combine all the following to understand the point:
1. It is the failure of the proprietary and software as a service models. If this were an open, in-tree Linux driver, it would likely go through a much more robust review and test cycle as well as not be simultaneously pushed to every Linux system in existence using it. It would be filtered through multiple distros' testing and release processes which would make discovery of the bug much more likely (mentioned by @CalcProgrammer1 ).

@ainmosni think Microsoft made a bit of a mistake canning Windows 10X which would of made recovery from this kind of thing a lot easier (atomic updates).

@ainmosni
2. The filter mechanism of Linux distros failed and we got the fault update (that no one knows of)? Backup before an update and the update failed, we can still roll back with BTRFS or roll back to the last bootable image when using an immutable distro (Mentioned by @didek ).

(continued in the next comment)

@ainmosni
Windows does not have all this, all it has is, a non-snapshot and non-immutable OS model that's relying on forced automatic updates that are sent directly to all Windows machines around the globe without the different distros review and testing mechanism that usually their updates goes through.

So It's not just a technical issue, it's also a philosophical issue in Windows.

@ainmosni My experience is the opposite. In any org that I was allowed a company-owned and issued Linux system, we were exempt from the requirement to have the enterprise remote install/control BS. (Only two orgs allowed this.)

That said, it's certainly _possible_ to have similar procedures and process around a Linux install base -- and also similarly ill-advised.

@ainmosni
....except, the fix would be scalable and automated, from a compartmentalised part of the system, and more importantly: immediately reversible. Potato's, tomatoes.

@ainmosni crowdstrike stated it was only rolled out to Windows, not apple or linux.

So could easily have been all 3....

@ainmosni

The bad actors could try, but it really is a Windows design problem.

It should not automagically install new drivers.

No other OS does this.

#Linux #CrowdStrike #Windows