An angry admin shares the CrowdStrike outage experience

db0 , 5 hours ago

Pity the administrators who dutifully kept a list of those keys on a secure server share, only to find that the server is also now showing a screen of baleful blue.

Lol, can you imagine? It empathetically hurts me even thinking of this situation. Enter that brave hero who kept the fileshare decryption key in a local keepass :D

kescusay , 5 hours ago

Seems like an argument for a heterogeneous environment, perhaps a solid and secure Linux server to host important keys like that.

pearsaltchocolatebar , 4 hours ago

Linux can shit the bed too. You need to maintain a physical copy.

StaySquared , 3 hours ago

CS did take down Linux a few years back… I forget the exact details.

amanda , 31 minutes ago

Sounds like we may have an easier conclusion to draw here

gnutrino , 2 hours ago

Sure but the chances of your Windows and Linux machines shitting the bed at the same time is less than if everything is running Windows. It’s exactly the same reason you keep a physical copy (which after all can break/burn down etc.) - more baskets to spread your eggs across.

pearsaltchocolatebar , 1 hour ago

Very few businesses are going to spend the money running redundant infrastructure on two different operating systems. Most of them won’t even spend the money on a proper DR plan.

Voroxpete , 56 minutes ago

Their point is not that linux can’t fail, it’s that a mix of windows and linux is better than just one. That’s what “heterogeneous environment” means.

You should think of your network environment like an ecosystem; monocultures are vulnerable to systemic failure. Diverse ecosystems are more resilient.

sugar_in_your_tea , 4 hours ago

That’s why the 3-2-1 rule exists:

• 3 copies of everything on
• 2 different forms of media with
• 1 copy off site

For something like keys, that means:

1. secure server share
2. server share backup at a different site
3. physical copy (either USB, printed in a safe, etc)

Any IT pro should be aware of this “rule.” Oh, and periodically test restoring from a backup to make sure the backup actually works.

IphtashuFitz , 37 minutes ago

We have a cron job that once a quarter files a ticket with whoever is on-call that week to test all our documented emergency access procedures to ensure they’re all working, accessible, up-to-date etc.

catloaf , 4 hours ago

We can’t boot into safe mode because our BitLocker keys are stored inside of a service that we can’t login to because our AD is down.

Someone never tested their DR plans, if they even have them. Generally locking your keys inside the car is not a good idea.

SapphironZA , 3 hours ago

We also backup our bitlocker keys with our RMM solution for this very reason.

catloaf , 2 hours ago

I hope that system doesn’t have any dependencies on the systems it’s protecting (auth, mfa).

MrNesser , 5 hours ago

Lemmy appears to be weathering the storm quite well…

…probably runs on linux

RootBeerGuy , 5 hours ago

It runs on hundreds of servers. If any of them ran windows they might be out but unless you got an account on them you’d be fine with the rest. That’s the whole point of federation.

cygnus , 5 hours ago (edited 3 hours ago)

The overwhelming majority of webservers run Linux (it’s not even close, like high 90 percent range) Edit: Upon double-checking it’s more like mid-80s, but the point stands

bilb , 3 hours ago

I wonder if any Lemmy servers run on Windows without WSL. I can’t think of any hard dependencies on Linux, so it should be possible.

gravitas_deficiency , 5 hours ago

Lmao this is incredible

Another Redditor posted: "They sent us a patch but it required we boot into safe mode.

"We can’t boot into safe mode because our BitLocker keys are stored inside of a service that we can’t login to because our AD is down.

“Most of our comms are down, most execs’ laptops are in infinite bsod boot loops, engineers can’t get access to credentials to servers.”

N.B.: Reddit link is from the source

I hope a lot of c-suites get fired for this. But I’m pretty sure they won’t be.

SkybreakerEngineer , 4 hours ago

Fired? I hope they get class-actioned out of existence as a warning to anyone who skimps on QA

MagicShel , 4 hours ago

C-suites fired? That’s the funniest thing I’ve heard yet today. They aren’t getting fired - they are their own ass-coverage. How can they be to blame when all these other companies were hit as well?

I guess this is a good week for me to still be laid off.

CodexArcanum , 4 hours ago

Our administrator is understandably a little bitter about the whole experience as it has unfolded, saying, "We were forced to switch from the perfectly good ESET solution which we have used for years by our central IT team last year.

Sounds like a lot of architects and admins are going to get thrown under the bus for this one.

“Yes, we ordered you to cut costs in impossible ways, but we never told you specifically to centralize everything with a third party, that was just the only financially acceptable solution that we would approve. This is still your fault, so we’re firing the entire IT department and replacing them with an AI managed by a company in Sri Lanka.”

Evotech , 1 hour ago

Stupid argument though, honestly just chance that crowdstrike was the vendor to shit the bed. Might aswell have been set. You should still have procedures for this

Boozilla , 5 hours ago

If you have EC2 instances running Windows on AWS, here is a trick that works in many (not all) cases. It has recovered a few instances for us:

• Shut down the affected instance.
• Detach the boot volume.
• Move the boot volume (attach) to a working instance in the same region (us-east-1a or whatever).
• Remove the file(s) recommended by Crowdstrike:
• Navigate to the C:\Windows\System32\drivers\CrowdStrike directory
• Locate the file(s) matching “C-00000291*.sys”, and delete them (unless they have already been fixed by Crowdstrike).
• Detach and move the volume back over to original instance (attach)
• Boot original instance

Alternatively, you can restore from a snapshot prior to when the bad update went out from Crowdstrike. But that is not always ideal.

Buffalox , 4 hours ago (edited 4 hours ago)

At least no mission critical services were hit, because nobody would run mission critical services in Windows, right?
…
RIGHT??

OpenStars , 4 hours ago

img

Max_P , 1 hour ago

This is why every machine I manage has a second boot option to download a small recovery image off the Internet and phone home with a shell. And a copy of it on a cheap USB stick.

Worst case I can boot the Windows install in a VM with the real disk, do the maintenance remotely. I can reinstall the whole thing remotely. Just need the user to mash F12 during boot and select the recovery environment, possibly input WiFi credentials if not wired.

I feel like this should be standard if you have a lot of remote machines in the field.

corsicanguppy , 37 minutes ago

This is why every machine I manage has a second boot option to download a small recovery image off the Internet and phone home with a shell. And a copy of it on a cheap USB stick.

You’re fucking killing it. Stay awesome.

Also gist this up pls. Thanks.

slacktoid , 5 hours ago

Sounds like the best time to unionize

pelletbucket , 4 hours ago

I got super lucky. got paid for my car just before the dealership systems went down, got my return flight 2 days before this shit started.