There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

Today I'm grateful I'm using Linux - Global IT issues caused by Crowdstrike update causes BSOD on Windows

This isn’t a gloat post. In fact, I was completely oblivious to this massive outage until I tried to check my bank balance and it wouldn’t log in.

Apparently Visa Paywave, banks, some TV networks, EFTPOS, etc. have gone down. Flights have had to be cancelled as some airlines systems have also gone down. Gas stations and public transport systems inoperable. As well as numerous Windows systems and Microsoft services affected. (At least according to one of my local MSMs.)

Seems insane to me that one company’s messed up update could cause so much global disruption and so many systems gone down :/ This is exactly why centralisation of services and large corporations gobbling up smaller companies and becoming behemoth services is so dangerous.

catculation ,
@catculation@lemmy.zip avatar

Even 911 is impacted

Bitrot ,

In the US 911 is decentralized, so widespread things will always affect it in some places. Solarwinds hack was another one.

Assuming the entire phone system isn’t down, there are typically very shitty to deal with workarounds for CAD outages.

SeattleRain ,

It’s proving that POSIX architecture is necessary even if it requires additional computer literacy on the part of users and admins.

The risk of hacking (which is what Crowdstrike essentially does to get so deeply embedded and be so effective at endpoint protection) a monolithic system like Windows OS is if you screw up the whole thing comes tumbling down.

Bitrot ,

It happens on Linux too: access.redhat.com/solutions/7068083

digdilem ,

That’s an old alert. We run CS on Linux as well and have not encountered this issue in the two years we’ve had it going.

Bitrot ,

It was affecting RHEL 9.4 users within the last two months.

digdilem ,

This specific issue was triggered today by a microsoft update - that’s something else.

Agree it may be indicative of poor quality software control, but it’s not this.

Bitrot ,

This specific issue is different than the other specific issue, correct.

The point is, “this could only happen on windows” is wrong.

Simmy ,

I’ve heard not all Windows versions are effect by Crowdstrike depending if it was recently updated or not. It’s not clear which versions are effected. One other thing I thought Windows has a micro Kernel, and Linux is monolithic.

skullgiver ,
@skullgiver@popplesburger.hilciferous.nl avatar

As Nvidia proves regularly, a Linux kernel driver can make a system unbootable just as easily as a broken Windows driver can.

sabreW4K3 ,
@sabreW4K3@lazysoci.al avatar

Is there a chance that this makes organisations move to Linux?

aasatru ,
@aasatru@kbin.earth avatar

I guess they would want some cybersecurity software like Crowdstrike in either case? If so, this could probably have happened on any system, as it's a bug in third party software that crashes the computer.

Not that I know much about this, but if this leads to a push towards Linux it would be if companies already wanted to make the switch, but were unwilling because they thought they needed Crowdstrike specifically. This might lead them to consider alternative cybersecurity software.

shirro ,

Windows usage isn’t the cause of dysfunction in corporate IT but a symptom of it. All you would get is badly managed Linux systems compromised by bloated insecure commercial security/management software.

magic_lobster_party ,

That’s not going to change much. This isn’t a Windows problem. This is a faulty software problem. People can write faulty software on Linux too.

aniki ,

You’d think maybe not being reliant on a 90 billion dollar company to un-fuck security would be a bigger deal than it is.

Asidonhopo ,

US and UK flights are grounded because of the issue, banks, media and some businesses not fully functioning. Likely we’ll see more effects as the day goes on.

TCB13 ,
@TCB13@lemmy.world avatar

While I don’t totally disagree with you, this has mostly nothing to do with Windows and everything to do with a piece of corporate spyware garbage that some IT Manager decided to install. If tools like that existed for Linux, doing what they do to to the OS, trust me, we would be seeing kernel panics as well.

tenchiken ,

Hate to break it to you, but CrowdStrike falcon is used on Linux too…

kautau , (edited )

And if it was a kernel-level driver that failed, Linux machines would fail to boot too. The amount of people seeing this and saying “MS Bad,” (which is true, but has nothing to do with this) instead of “how does an 83 billion dollar IT security firm push an update this fucked” is hilarious

https://lemmy.world/pictrs/image/db79f162-aa2f-4428-aa4d-a51eb07a8903.png

aniki ,

You’re asking the wrong question: why does a security nightmare need a 90 billion dollar company to unfuck it?

magic_lobster_party ,

What’s your solution to cyberattacks?

aniki , (edited )

Linux in the hands of professionals. There’s a reason IIS isn’t used anymore.

magic_lobster_party ,

That doesn’t solve anything. Linux is also subject to cyberattacks.

Badabinski , (edited )

Falcon uses eBPF on Linux nowadays. It's still an irritating piece of software, but it no make your boxen fail to boot.

edit: well, this is a bad take. I should avoid commenting on shit when I'm sleep deprived and filled with meeting dread.

Bitrot ,

It was panicking RHEL 9.4 boxes a month ago.

Badabinski ,

Were you using the kernel module? We're using Flatcar which doesn't support their .ko, and we haven't been getting panics on any of our machines (of which there are many).

Bitrot ,

Nah it was specifically related to their usage of BPF with the Red Hat kernel, since fixed by Red Hat. Symptom was, you update your system and then it panics. Still usable if you selected a previous kernel at boot though.

skullgiver ,
@skullgiver@popplesburger.hilciferous.nl avatar

Even if it doesn’t kernel panic, a broken eBPF program can break all networking and I/O and effectively cripple a “running” system.

eBPF is better in a lot of aspects, but it won’t prevent software intended to block syscalls from breaking your machines if the code breaks.

The solution posted everywhere, simply delete the broken driver files, isn’t difficult or time consuming, except for situations where tens of thousands of devices stop responding at once, or where every machine is asking you for the encryption key because you’ve altered your boot parameters. Linux’ saving grace here may be that Bitlocker-style encryption is a pain to set up so Linux servers typically don’t do the encryption at all, but the recovery process for enterprise customers would still be very manual and time consuming.

digdilem ,

And Macs, we have it on all three OSs. But only Windows was affected by this.

biscuitswalrus ,

Hate to break it to you, but most IT Managers don’t care about crowdstrike: they’re forced to choose some kind of EDR to complete audits. But yes things like crowdstrike, huntress, sentinelone, even Microsoft Defender all run on Linux too.

TCB13 ,
@TCB13@lemmy.world avatar

Yeah, you’re right.

aniki ,

How is it not a window problem?

Jako301 ,

Why should it be? A faulty software update from a 3rd party crashes the operating system. The exact same thing could happen to Linux hosts as well with how much access those IPSec programms usually get.

aniki ,

But that patch is for windows, not Linux. Not a hypothetical, this is happening.

digdilem ,

The fault seems to be 90/10 CS, MS.

MS allegedly pushed a bad update. Ok, it happens. Crowdstrike’s initial statement seems to be blaming that.

CS software csagent.sys took exception to this and royally shit the bed, disabling the entire computer. I don’t think it should EVER do that, so the weight of blame must lie with them.

The really problematic part is, of course, the need to manually remediate these machines. I’ve just spent the morning of my day off doing just that. Thanks, Crowdstrike.

Mikina ,

I wouldn’t call Crowdstrike a corporate spyware garbage. I work as a Red Teamer in cybersecurity, and EDRs are bane of my existence - they are useful, and pretty good at what they do. In the last few years, I’m struggling more and more to with engagements we do, because EDRs just get in the way and catch a lot of what would pass undetected a month ago. Staying on top of them with our tooling is getting more and more difficult, and I would call that a good thing.

I’ve recently tested a company without EDR, and boy was it a treat. Not defending Crowdstrike, to call that a major fuckup is great understatement, but calling it “corporate spyware garbage” feels a little bit unfair - EDRs do make a difference, and this wasn’t an issue with their product in itself, but with irresponsibility of their patch management.

0x0 ,

What?! No, it must be Kaspersky!

/s

AlligatorBlizzard ,

Oh damn, I wonder if that’s why some of Metro Transit’s signage was down last night?

aard ,
@aard@kyu.de avatar

The annoying aspect from somebody with decades of IT experience is - what should happen is that crowdstrike gets sued into oblivion, and people responsible for buying that shit should have an epihpany and properly look at how they are doing their infra.

But will happen is that they’ll just buy a new crwodstrike product that promises to mitigate the fallout of them fucking up again.

0x0 ,

decades of IT experience

Do any changes - especially upgrades - on local test environments before applying them in production?

The scary bit is what most in the industry already know: critical systems are held on with duct tape and maintained by juniors 'cos they’re the cheapest Big Money can find. And even if not, There’s no time. or It’s too expensive. are probably the most common answers a PowerPoint manager will give to a serious technical issue being raised.

The Earth will keep turning.

goodgame ,

some years back I was the ‘Head’ of systems stuff at a national telco that provided the national telco infra. Part of my job was to manage the national systems upgrades. I had the stop/go decision to deploy, and indeed pushed the ‘enter’ button to do it. I was a complete PowerPoint Manager and had no clue what I was doing, it was total Accidental Empires, and I should not have been there. Luckily I got away with it for a few years. It was horrifically stressful and not the way to mitigate national risk. I feel for the CrowdStrike engineers. I wonder if the latest embargo on Russian oil sales is in anyway connected?

0x0 ,

I wonder if the latest embargo on Russian oil sales is in anyway connected?

Doubt it, but it’s ironic that this happens shortly after Kaspersky gets banned.

HumanPenguin ,
@HumanPenguin@feddit.uk avatar

Not OP. But that is how it used to be done. Issue is the attacks we have seen over the years. IE ransom attacks etc. Have made corps feel they needf to fixed and update instantly to avoid attacks. So they depend on the corp they pay for the software to test roll out.

Autoupdate is a 2 edged sword. Without it, attackers etc will take advantage of delays. With it. Well today.

0x0 ,

I’d wager most ransomware relies on old vulnerabilities. Yes, keep your software updated but you don’t need the latest and greatest delivered right to production without any kind of test first.

HumanPenguin ,
@HumanPenguin@feddit.uk avatar

Very much so. But the vulnerabilities do not tend to be discovered (by developers) until an attack happens. And auto updates are generally how the spread of attacks are limited.

Open source can help slightly. Due to both good and bad actors unrelated to development seeing the code. So it is more common for alerts to hit before attacks. But far from a fix all.

But generally, time between discovery and fix is a worry for big corps. So why auto updates have been accepted with less manual intervention than was common in the past.

Cyber ,

I would add that a lot of attacks are done after a fix has been released - ie compare the previous release with the patch and bingo - there’s the vulnerability.

But agree, patching should happen regularly, just with a few days delay after the supplier release it.

ik5pvx ,

Unfortunately falcon self updates. And it will not work properly if you don’t let it do it.

Also add “customer has rejected the maintenance window” to your list.

MyNameIsRichard ,
@MyNameIsRichard@lemmy.ml avatar

Turns out it doesn’t work properly if you do let it

Strit ,
@Strit@lemmy.linuxuserspace.show avatar

It’s also reported in Danish news now: dr.dk/…/store-it-problemer-flere-steder-i-verden

stoy ,

I just saw it on the Swedish national broadcaster’s website:

www.svt.se/…/it-storningar-varlden-over-e1l936

Maxy ,

Dutch media are reporting the same thing: nos.nl/l/2529468 (liveblog) nos.nl/l/2529464 (Normal article)

Thorned_Rose OP ,
@Thorned_Rose@sh.itjust.works avatar

For reference, this was the article I first read about this on: www.nzherald.co.nz/…/R2EY42QKQBALXNF33G5PA6U3TQ/

  • All
  • Subscribed
  • Moderated
  • Favorites
  • [email protected]
  • random
  • lifeLocal
  • goranko
  • All magazines
    •