←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 9 comments | 22 Jul 24 02:22 UTC | HN request time: 1.345s | source | bottom
Show context
rramadass ◴[22 Jul 24 05:47 UTC] No.41031248[source]
I had read reports of this earlier which is what makes me speculate that the Windows Crowdstrike issue is more than "just a update error" i.e. there might be some nefarious hand behind this. Given that they were already aware of the Linux issue it boggles my mind that they did not take extra precautions when it came to Windows updates. We will have to wait and see for further trustworthy info.

Btw - The article mentions Dave Plummer's analysis of the issue which might be easier for people to understand and worth a watch. - https://www.youtube.com/watch?v=wAzEJxOo1ts

replies(3): >>41031293 #>>41031643 #>>41032173 #
1. bawolff ◴[22 Jul 24 06:01 UTC] No.41031293[source]
Some part of a company already aware of an issue but different part still ships is a pretty common tale and seems much more likely than some nefarious conspiracy theory. (And that is even assuming this is the same issue, which seems questionable)

After all, who exactly would benefit from such a nefarious scheme to crash windows computers? Certainly not Crowdstrike.

replies(3): >>41031325 #>>41031441 #>>41031502 #
2. tgv ◴[22 Jul 24 06:09 UTC] No.41031325[source]
Wrt trying to get something out of the crash: https://www.theregister.com/2024/07/19/cyber_criminals_quick.... The conspiracy-minded could be suspicious of the quick response to this outage. "They must have known in advance!" Or they could suspect an overeager account manager at Crowdstrike, who wanted to show how important the product is.

But indeed, this really sounds like it was an internal error.

3. logicchains ◴[22 Jul 24 06:29 UTC] No.41031441[source]
>After all, who exactly would benefit from such a nefarious scheme to crash windows computers?

Russia or China would certainly benefit from the ability to do this at a time of their choosing, and it's possible they could have an agent inside Crowdstrike, especially given China's history of industrial espionage.

replies(1): >>41038877 #
4. rramadass ◴[22 Jul 24 06:40 UTC] No.41031502[source]
> who exactly would benefit from such a nefarious scheme

State Actors, given the current Geo-Political tensions.

You have to take a all-in-all broader view. I remember a while ago Kaspersky was accused of data-siphoning/spying from computers it was installed on and other nefarious activities. See New Government Ban on Kaspersky Would Prevent Company from Updating Malware Signatures in U.S. - https://www.zetter-zeroday.com/new-government-ban-on-kaspers...

As for your opening statement "Some part of a company already aware of an issue but different part still ships is a pretty common tale" is not applicable here since this code runs in kernel mode (in both OSes) and thus would be subject to far far greater scrutiny and testing than an ordinary app. As Dave Plummer points out in his analysis Microsoft Kernel Drivers are signed and certified after an exhaustive testing process. Even if Crowdstrike wrote their drivers as an interpreter and the data update files were actually programs in some p-code, Microsoft would have definitely known of it and its inherent vulnerabilities. I would bet money that Microsoft knows all about preventing threats/vulnerabilities than any other company simply because of their long experience and large userbase and thus would not have allowed Crowdstrike such a free hand.

replies(2): >>41031932 #>>41038966 #
5. krisoft ◴[22 Jul 24 08:14 UTC] No.41031932[source]
> State Actors, given the current Geo-Political tensions.

I love a good conspiracy just like anyone. And i certainly hope the relevant authorities will take a good, deep look at what knocked over the dominoes CrowdStrike set up in a line. But i just don’t see how those state actors would benefit from this. There is damage, both financial and humans harmed, but is that the best a state actor could do? I would have thought they would sync such an action with other measures for maximum impact.

> You have to take a all-in-all broader view.

That is always wise. Can you tell us more? In particular could you spell out how the Kaspersky ban factors in here in your opinion?

> As for your opening statement "Some part of a company already aware of an issue but different part still ships is a pretty common tale" is not applicable here since this code runs in kernel mode (in both OSes) and thus would be subject to far far greater scrutiny and testing than an ordinary app.

Are you saying that this scrutiny is somehow enough to overcome companies natural tendency to be disparate and unorganised?

replies(1): >>41032739 #
6. rramadass ◴[22 Jul 24 10:18 UTC] No.41032739{3}[source]
> But i just don’t see how those state actors would benefit from this.

You should never stop at obvious/superficial explanations but look at all scenarios (i.e. Game Theory probabilities) including "false flag" operations. Eg. a) What might have happened elsewhere when the world's attention was focused on this one incident? Did we miss something of greater importance? b) Was this a dry run/false flag to get businesses to tighten their cyber defences because somebody knows something about what might be forthcoming? c) The Russia/Ukraine war seems to be entering a critical phase with increasing incidents across NATO countries; see https://edition.cnn.com/2024/07/10/europe/russia-shadow-war-... etc. etc. At the minimum there has already been billions in damage and counting; one Australian report - https://www.youtube.com/watch?v=YedowOtznNo

> how the Kaspersky ban factors in here in your opinion?

Because this is very recent news; see https://www.zetter-zeroday.com/kaspersky-lab-closing-u-s-div... Is somebody flexing their attack capabilities just to demonstrate they can do it without Kaspersky? Also the US govt. has specifically banned "updating of malware signatures" in Kaspersky software which was exactly the vector used with Crowdstrike.

> Are you saying that this scrutiny is somehow enough to overcome companies natural tendency to be disparate and unorganised?

Yes. Companies do not treat kernel mode code with the same laissez-faire attitude that they might take with user mode apps. In particular, Microsoft has the most experience with this given their long history/evolution/problems and sheer number of installations. That they would allow some third-party software to bypass their testing/certifications is unbelievable to me. I am sure they would have also done some formal verifications on this as well. Remember Crowdstrike was meant to help prevent zero-day vulnerabilities and hence they would have looked at it closely.

When certain things happen at a global scale, you have to take a global view, factor in parameters like Geopolitical tensions, Economic advantages/disadvantages, Propaganda, etc. and simulate all possible scenarios one by one w.r.t. all parameters.

Remember Clausewitz, “War is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means”.

Also Sun Tzu, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

Finally, you might find the classic Deception - The Invisible War Between the KGB and the CIA by Edward Jay Epstein very relevant here - https://archive.org/details/Deception-TheInvisibleWarBetween... "Deception" is the foundation for everything and "Asymmetric Warfare (Cyber and others)" is the name of the game today.

7. bawolff ◴[22 Jul 24 19:37 UTC] No.41038877[source]
You think russia or china would benefit more from this then having a stealthy rootkit on basically every important computer in the world?

I think russia or china are probably the least likely purpotrators possible. Their incentives strongly disalign with this.

8. bawolff ◴[22 Jul 24 19:44 UTC] No.41038966[source]
> State Actors, given the current Geo-Political tensions.

I disagree. If state actors had this type of capability they would use it to spy on big companies. The espionage potential is huge. They wouldn't waste it on causing a minor inconvinence.

> is not applicable here since this code runs in kernel mode (in both OSes) and thus would be subject to far far greater scrutiny and testing than an ordinary app

Lol. What next? Politicians always tell the truth? Everyone gets a free unicorn? This is just obviously not how the world works. There is a long history of anti-virus software being kind of crap.

replies(1): >>41040307 #
9. rramadass ◴[22 Jul 24 22:04 UTC] No.41040307{3}[source]
> If state actors had this type of capability they would use it to spy on big companies.

Who says that is not ongoing? You just don't hear about it that much because the companies downplay/hide it for obvious reasons.

> They wouldn't waste it on causing a minor inconvinence.

This is not a "minor" inconvenience. The losses to the Economy are already running into billions and counting. See for example https://www.youtube.com/watch?v=YedowOtznNo

> Lol. What next? Politicians always tell the truth? Everyone gets a free unicorn? This is just obviously not how the world works. There is a long history of anti-virus software being kind of crap.

Snark/Glibness is not an argument. I have worked in Network Security and know for a fact that Kernel mode code is treated differently than User mode code in terms of scrutiny/testing/staging/release. Second, Crowdstrike is not just another anti-virus software; they are far more broader in scope/complex and hence their wide user base. Microsoft with their wide experience would have definitely processes in place to validate them comprehensively. Hence one should be cautious in taking this incident at face value and investigate everything thoroughly. I am almost sure multiple lawsuits are in the offing but am not so sure whether the full story will come out.