←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 2 comments | 22 Jul 24 02:22 UTC | HN request time: 0.635s | source
Show context
rramadass ◴[22 Jul 24 05:47 UTC] No.41031248[source]
I had read reports of this earlier which is what makes me speculate that the Windows Crowdstrike issue is more than "just a update error" i.e. there might be some nefarious hand behind this. Given that they were already aware of the Linux issue it boggles my mind that they did not take extra precautions when it came to Windows updates. We will have to wait and see for further trustworthy info.

Btw - The article mentions Dave Plummer's analysis of the issue which might be easier for people to understand and worth a watch. - https://www.youtube.com/watch?v=wAzEJxOo1ts

replies(3): >>41031293 #>>41031643 #>>41032173 #
bawolff ◴[22 Jul 24 06:01 UTC] No.41031293[source]
Some part of a company already aware of an issue but different part still ships is a pretty common tale and seems much more likely than some nefarious conspiracy theory. (And that is even assuming this is the same issue, which seems questionable)

After all, who exactly would benefit from such a nefarious scheme to crash windows computers? Certainly not Crowdstrike.

replies(3): >>41031325 #>>41031441 #>>41031502 #
rramadass ◴[22 Jul 24 06:40 UTC] No.41031502[source]
> who exactly would benefit from such a nefarious scheme

State Actors, given the current Geo-Political tensions.

You have to take a all-in-all broader view. I remember a while ago Kaspersky was accused of data-siphoning/spying from computers it was installed on and other nefarious activities. See New Government Ban on Kaspersky Would Prevent Company from Updating Malware Signatures in U.S. - https://www.zetter-zeroday.com/new-government-ban-on-kaspers...

As for your opening statement "Some part of a company already aware of an issue but different part still ships is a pretty common tale" is not applicable here since this code runs in kernel mode (in both OSes) and thus would be subject to far far greater scrutiny and testing than an ordinary app. As Dave Plummer points out in his analysis Microsoft Kernel Drivers are signed and certified after an exhaustive testing process. Even if Crowdstrike wrote their drivers as an interpreter and the data update files were actually programs in some p-code, Microsoft would have definitely known of it and its inherent vulnerabilities. I would bet money that Microsoft knows all about preventing threats/vulnerabilities than any other company simply because of their long experience and large userbase and thus would not have allowed Crowdstrike such a free hand.

replies(2): >>41031932 #>>41038966 #
1. krisoft ◴[22 Jul 24 08:14 UTC] No.41031932[source]
> State Actors, given the current Geo-Political tensions.

I love a good conspiracy just like anyone. And i certainly hope the relevant authorities will take a good, deep look at what knocked over the dominoes CrowdStrike set up in a line. But i just don’t see how those state actors would benefit from this. There is damage, both financial and humans harmed, but is that the best a state actor could do? I would have thought they would sync such an action with other measures for maximum impact.

> You have to take a all-in-all broader view.

That is always wise. Can you tell us more? In particular could you spell out how the Kaspersky ban factors in here in your opinion?

> As for your opening statement "Some part of a company already aware of an issue but different part still ships is a pretty common tale" is not applicable here since this code runs in kernel mode (in both OSes) and thus would be subject to far far greater scrutiny and testing than an ordinary app.

Are you saying that this scrutiny is somehow enough to overcome companies natural tendency to be disparate and unorganised?

replies(1): >>41032739 #
2. rramadass ◴[22 Jul 24 10:18 UTC] No.41032739[source]
> But i just don’t see how those state actors would benefit from this.

You should never stop at obvious/superficial explanations but look at all scenarios (i.e. Game Theory probabilities) including "false flag" operations. Eg. a) What might have happened elsewhere when the world's attention was focused on this one incident? Did we miss something of greater importance? b) Was this a dry run/false flag to get businesses to tighten their cyber defences because somebody knows something about what might be forthcoming? c) The Russia/Ukraine war seems to be entering a critical phase with increasing incidents across NATO countries; see https://edition.cnn.com/2024/07/10/europe/russia-shadow-war-... etc. etc. At the minimum there has already been billions in damage and counting; one Australian report - https://www.youtube.com/watch?v=YedowOtznNo

> how the Kaspersky ban factors in here in your opinion?

Because this is very recent news; see https://www.zetter-zeroday.com/kaspersky-lab-closing-u-s-div... Is somebody flexing their attack capabilities just to demonstrate they can do it without Kaspersky? Also the US govt. has specifically banned "updating of malware signatures" in Kaspersky software which was exactly the vector used with Crowdstrike.

> Are you saying that this scrutiny is somehow enough to overcome companies natural tendency to be disparate and unorganised?

Yes. Companies do not treat kernel mode code with the same laissez-faire attitude that they might take with user mode apps. In particular, Microsoft has the most experience with this given their long history/evolution/problems and sheer number of installations. That they would allow some third-party software to bypass their testing/certifications is unbelievable to me. I am sure they would have also done some formal verifications on this as well. Remember Crowdstrike was meant to help prevent zero-day vulnerabilities and hence they would have looked at it closely.

When certain things happen at a global scale, you have to take a global view, factor in parameters like Geopolitical tensions, Economic advantages/disadvantages, Propaganda, etc. and simulate all possible scenarios one by one w.r.t. all parameters.

Remember Clausewitz, “War is not merely a political act but a real political instrument, a continuation of political intercourse, a carrying out of the same by other means”.

Also Sun Tzu, “All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”

Finally, you might find the classic Deception - The Invisible War Between the KGB and the CIA by Edward Jay Epstein very relevant here - https://archive.org/details/Deception-TheInvisibleWarBetween... "Deception" is the foundation for everything and "Asymmetric Warfare (Cyber and others)" is the name of the game today.