Onasi@mab1376
This is fair, though I fear that would require them to essentially overhaul the entire kernel at this point, Vista/NT6-style, which isn’t in the cards anytime soon, I assume.

mab1376TBF if Microsoft offered user-mode APIs into kernel events, it wouldn't be necessary to install a kernel driver.

WirkoIs that implemented in any OS? I don't see how it could be done with sufficient functionality but without compromising security.

bugIf you mean me

mab1376Doubtfully anytime soon, but Apple made this switch in 2020 with the release of Catalina, so it's not entirely unfathomable.

WirkoIs that implemented in any OS? I don't see how it could be done with sufficient functionality but without compromising security.

OnasiThey were driven to it by their switch to their own silicon, to be fair. Wasn’t just out of the goodness of their hearts.

WirkoAnother problem is PCs that won't boot.

Although ... isn't there a thing called Intel Management Engine, which system admins can use to access disks and everything on a PC even if it's turned off or unable to boot?

JcRabbitJudging by the chaos out there, this is what the Y2K bug could have been, but wasn't (because we made sure on time that it would not turn into anything like this - and thus it became a non event).

mab1376TBF if Microsoft offered user-mode APIs into kernel events, it wouldn't be necessary to install a kernel driver.

forman313Yes there is.

For AMD there is DASH and AMC (AMD Management Console) supported by the PRO processors. You get remote access with KVM, USB ISO boot redirection, power control +++. As long as the device is connected to AC/DC or in modern standby and has a connection to the internet, you get access. Even when its powered of.

bugCalls from user space into the kernel space incur some overhead. It's hard to enable that without taxing the performance.

Shou MikoI already heard this didn't work for everyone including the registery fix.

I checked serveral Windows 10 installations at work incl. the one I use at work and I haven't found anything and a lot of my customers are running Windows 11 so hope they are more safe than Windows 10 users.


Correct.

AssimilatorOh good, the Linux idiots have arrived to shit on things they have zero understanding of.

AquinusI don't know, man. What I do know is that I have an engineer that currently can't do his job because his laptop is bricked because of this. All of my engineers with Macs (including myself,) are fine. So while I don't understand exactly what CrowdStrike did, I do understand its side-effects. Same thing with our servers. Our product in particular is mostly on a flavor of Linux and is not impacted by any of this. The parts of the business with Windows servers on the other hand are actively war rooming to fix all of this.

So say what you will, but this is a huge issue for businesses that use CrowdStrike with Windows machines.

AquinusI don't know, man. What I do know is that I have an engineer that currently can't do his job because his laptop is bricked because of this. All of my engineers with Macs (including myself,) are fine. So while I don't understand exactly what CrowdStrike did, I do understand its side-effects. Same thing with our servers. Our product in particular is mostly on a flavor of Linux and is not impacted by any of this. The parts of the business with Windows servers on the other hand are actively war rooming to fix all of this.

So say what you will, but this is a huge issue for businesses that use CrowdStrike with Windows machines.

AssimilatorAnd, again, for the 100th time, none of that is the fault of Microsoft or Windows. Crowdstrike shipped a broken update and Crowdstrike bricked those machines.

Yes, you could argue it's ultimately Microsoft's fault for not building a sufficiently isolated kernel, but that's very much ignoring the forest for the trees in this case.

AssimilatorAnd, again, for the 100th time, none of that is the fault of Microsoft or Windows. Crowdstrike shipped a broken update and Crowdstrike bricked those machines.

P4-630due to CrowdStrike Falcon-package failure affecting Windows.

mab1376Mac uses an API to collect kernel events, so the kernel driver required on Windows doesn't exist on Mac. Linux has user mode and kernel mode sensors available depending on the kernel, but I don't think kernel mode Linux hosts were affected as I suspect the bug was only introduced into the Windows code base at CrowdStrike.

As mentioned above, user mode APIs for kernel events compared to a kernel driver does have a performance impact.

mab1376Exactly the boat I'm in... I'm the infosec manager so I'm just the one documenting the wreckage.

bugThe elephant in the room being: if it affects so many systems, how the hell did it go undetected all the way prod? Though it could be a case of "we tested one thing and released another".

MakaveliSeriously I fought back against Bitlocker encryption on all machines for this reason at my last place because I told them recovery after an event like this is a major pain in the ass. I believe I saw a mcafee update in the past brick one of my workstation. but for me I thought ahead had and images and other thing done to recover my own machine. Now of course encryption is important so they did it anyways but none of my other co-workers took the extra steps I did encase of a disaster.

mab1376that question is exactly why their stock is tanking.


BitLocker is required for our ISO27001 certification if a machine has sensitive info on it, which most do in my environment.