Email or username:

Password:

Forgot your password?
Nick @ The Linux Experiment

Microsoft now blaming the EU for the crowdstrike issue, because the EU made them open their APIs to third party developers in 2009 is hilarious.

If your APIs had any kind of gracious error handling, this wouldn’t be an issue. Fix your bad code, Microsoft, stop pointing fingers.

50 comments
Pēteris Krišjānis

@thelinuxEXP hahahahaha what.
Sue these fools out of existence.

dieTasse

@thelinuxEXP
Wow, they are just.. something 🙁

Ken Kinder :clubtwit:

@thelinuxEXP So as a Linux user, your contention is that a ring 0 privileged application, with root access to all kernel functions, should never be able to crash the system?

Nick @ The Linux Experiment

@bouncing No, it’s that the OS should be able to recover gracefully, not go into a BSOD boot loop

Brian Reiter

@thelinuxEXP @bouncing if it hypothetically rebooted and refused to load the crashing kernel module then doesn’t it mean that crashing a module is equivalent to denying access to the service or hardware that depends on the module? In this case it would mean you can bypass whatever “security” is provided by CrowdStrike by crashing the module.

Ken Kinder :clubtwit:

@breiter @thelinuxEXP Linux systems have bootloops too.

I imagine I can give you a one-line shell command that will make your computer unbootable. Does that mean it’s just pure incompetence from the kernel developers? Of course not.

Nick @ The Linux Experiment

@bouncing @breiter There’s a difference between “send me a script that wipes /“ and “a kernel module is faulty therefore you can’t boot anymore”.

Ken Kinder :clubtwit:

@thelinuxEXP @breiter Is there? Surely a kernel module which, by law, “has the same access” as Microsoft’s first party ones, could make a system unbootable.

I’m not saying there’s not a bug that can be fixed but basically by definition, that whole rule is a security and reliability hole.

Nick @ The Linux Experiment

@breiter @bouncing Well, yeah, but I’d argue most people would prefer having a working system that reboots once, than having protection for a potential threat that might or might not be there in the time it takes for the faulty model to be updated.

Brian Reiter

@thelinuxEXP @bouncing I’m not sure that is actually true at all in the market where CrowdStrike is used. The module exists for mandatory SOC-2 or other compliance (which is not to be confused with security) requirements. Deploying CrowdStrike is a checkbox for the compliance people making this decision. If you could bypass it then it’s not really doing the required thing.

Murat

@bouncing The OS should run such apps under certain protections. M$ should display some seriousness for f..k sake, not every app is minesweeper nondeterministic.computer/@mjg

Ken Kinder :clubtwit:

@muratk5n pcmag.com/news/why-did-crowdst

> As Microsoft's Chief Communications Officer, Frank X. Shaw, noted on X, a 2009 agreement between the European Commission and Microsoft required Redmond to give security software the same level of access to Windows as Microsoft itself.

By definition, the kernel does not run in a sandbox.

If you’re giving third party apps the same access as Windows, they can crash Windows.

Jan

@thelinuxEXP The Linux kernel and all associated api's are open and those developers don't blame the government for mistakes.

DELETED

@thelinuxEXP third party kernel modules crashing the kernel isn't exactly unique to Windows.

Nick @ The Linux Experiment

@PlutoisAPlanet No, but the lack of any way to get out of a BSOD loop is

Brian Reiter

@thelinuxEXP @PlutoisAPlanet it’s not that there is no way to fix it at all. Windows has Safe Mode and WinPE. The problem is that it requires interaction with each device. Business has no plan for recovery in such a scenario. In some cases they had not properly done BitLocker key escrow. Many POS and kiosk devices are deployed with no IT support physically present.

DELETED

@breiter @thelinuxEXP Shame Windows 10X was dropped which was designed to stop this very thing via atomic updates.

NixOS and OSTree distros are the only two I can think of on Linux that would of survived this issue (as long as the update was pulled first).

Nick @ The Linux Experiment

@ericdube @PlutoisAPlanet And since then, Linux devs have added an ABI that will prevent this type of issue. Crowdstrike is even using it now, if the system supports it

DELETED

@thelinuxEXP @ericdube Except it didn't, the recent CrowdSec crash on Linux crashed even using eBPF

Wyatt (🏳️‍⚧️♀?)

@thelinuxEXP also if you're going to force drivers to be signed by your key anyway, maybe actually vet the things you're letting people sign (or sign them yourselves)

Ketata Mohamed

@thelinuxEXP I saw this in a post on a group on fb, to put you into the context: this is an app that lists job openings

Idaho

@thelinuxEXP topkek, the people at fault are crowdstrike, end of the line, they should have a proper release pipeline and QA...

Mizah

@thelinuxEXP Also, if there's anyone to blame here, it's Crowdstrike, their customers for buying a subpar product, and bad update rollout policies.

Andreas :tux: :android:

@thelinuxEXP I also found that comment to be very immature, to be honest.

Andreas :tux: :android:

@thelinuxEXP instead of saying it like it is, they blame the EU. It’s a bit childish and immature to blame others for their own shortcomings.

Nick @ The Linux Experiment

@antaeus Ahh sorry, for some reason I thought you were referring to my own post as immature!

My bad! I totally agree, this finger pointing is just childish.

supernov

@thelinuxEXP Really? I can only imagine this is kind of a legal thing, to try and avoid a huge fine

Nick @ The Linux Experiment

@supernov Might be, yeah! It must have broken a bunch of SLAs for some of their customers

quinta :ubuntu:

@thelinuxEXP they're afraid of losing their BSOD monopoly

Salem's Lot

@thelinuxEXP Be cautious about wanting them to "secure" their code. They will inevitably find the enshittification way of doing this and simultaneously cooperating with governments to constrict users in awful ways.

April
@thelinuxEXP @SalemsLot my prediction thats gonna happen once they notice that all the money they poured into chatgpt was for a advanced autocomplete without real usage
Brian Reiter

@thelinuxEXP the CrowdStrike Falcon kernel module was crashing Debian and RHEL servers a few months ago.

If you are running in the kernel process, you can panic the system.

Nick @ The Linux Experiment

@breiter But these systems were easy to recover. And this issue has since been fixed, at least specifically for Crowdstrike, since the kernel 6.1x. Can’t happen in this way anymore.

Brian Reiter

@thelinuxEXP that’s because they are using eBPF now. But Windows now has dtrace and AMSI. CrowdStrike doesn’t use those. Instead, it injects itself into the kernel. Microsoft can’t force CrowdStrike to use the safe interfaces.

If you are in the kernel and crash the system that’s on you.

Nick @ The Linux Experiment

@breiter Ah yeah, didn’t know Windows has a similar thing now. Strange that Crowdstrike didn’t use it, when they made the move for Linux!

Anyway, the finger pointing at the EU is ridiculous. If they don’t want to blame themselves (I still refuse to believe there’s nothing MS could do to handle this type of problem more gracefully), blame Crowdstrike.

Brian Reiter

@thelinuxEXP my guess is that Linux server admins had the political clout to force a change.

Windows had AMSI for something like 20+ years. dtrace for about 5 years. There was a technology that Microsoft wanted to use to protect the kernel integrity that the EC blocked because security vendors brought a complaint.

In my company Windows is only allowed in a VM, FWIW. I think Microsoft has painted themselves into a corner with their infinite backward compatibility and bad legacy decisions.

Brian Reiter

@thelinuxEXP I have had endpoint security engineers tell me that using these safe interfaces precludes some of the differentiating features of CrowdStrike Falcon and other similar endpoint tools. I’m extremely dubious that those features are worth the risk and added surface area exposed by the security and compliance probe as a kernel module in the first place.

Using a rootkit as the vehicle for compliance in all Fortune 500 companies seems like a bad idea a priori.

Norbi Peti

@thelinuxEXP based on the one video I watched they can't afford to recover from any kind of kernel issue in general (and safe mode is there to help prevent it if you know how). CrowdStrike had a boot-start kernel driver apparently and didn't handle "user" errors properly in the kernel.

Scott 🏴

@thelinuxEXP open source code fucks up? Open source is the problem. Closed-source code fucks up? Still because of open source somehow

Niac

@thelinuxEXP
how likely do you think it is that without this API, CrowdStrike would have used a janky way to get what they want out of the kernel (and still cause this issue)?

This is obviously something they would want to do, but I have no idea if they would think it would be worth the reverse engineering efforts, monkey-patched kernel files, probably need to re-sign everything to be secure-boot-compatible, etc...

Warriormaster

@thelinuxEXP my understanding is that in kernel mode you can’t gracefully crash without BSOD. At least based on Garry Explains video and Primeagen interview.

K0bin

@thelinuxEXP Kernel extensions on Linux would make the system crash just like Crowdstrike did. You can't really blame Microsoft here.

Go Up