https://x.com/Perpetualmaniac/status/1814376668095754753
Posted on 07/20/2024 8:10:34 AM PDT by ransomnote
https://x.com/Perpetualmaniac/status/1814376668095754753
I put the university of MO at Rolla into a do loop in Fortran 4 once. Long time ago. They were somewhat not pleased.
“If it isn’t, then it’s a very sorry state of affairs at MS”
This didn’t occur at MSFT.
"Was it sabotage?" is a perfectly reasonable question to ask. And somebody had better be digging into that question.
We don’t know it wasn’t.
And we don't know that it was. Who would benefit?
Sadly enough, the idea of "innocent until proven guilty" no longer applies to events we continue to see. While I consider sabotage in this case to be unlikely, it is not impossible. Perhaps some booby-trap that went off before it was planned to release?
But again, if you suspect conspiracy, who will benefit? That is where you must direct attention. If there was some kind of conspiracy, then you look for a technical person in a key position who just got a huge "inheritance" and retired. Or who just turned up dead "unexpectedly".
We don't have any such indicators yet.
The people who will lose are the ones at Crowd Strike. That company will be GONE. And the technical staff may be unemployable. The cyber-security industry is kind of a small community. Everybody has a reputation.
Hiring code prof readers send resume to
Crowdstrike Oh Sh**t
I totally understand that.
Crowdstrike went from a 50 million dollar company to a 3 billion dollar company in 7 years. All because of democrap party ties
I’d argue that many benefit - from my understanding this mainly hit western nations. It could be an enemy State effort. It could be a competitor to Crowdstrike, this is a disaster for them.
Who knows? I ask, not for the reasons I can think of but for the reasons I can’t. This did $billions in damage and caused lots of chaos. Did somebody die because equipment wasn’t available? Quite possibly. It’s no different than asking ‘who would want to commit terrorism?’. It doesn’t have to make sense to you or I.
As a software expert, responsible for safety critical systems, including their cybersecurity, this is so amateurish I’m suspicious. That’s all.
Even if it was not sabotage, clearly we have a vulnerability. One that could be used as an attack vector in the future. There needs to be an investigation into exactly how this happened.
It raises a bigger question too. If the infrastructure is so dependent on Microsoft, how do we make this doesn’t happen again? Accident or not.
I corrected myself.
Even so, we have a huge dependency on Microsoft - and with major 3rd parties being able to put their kernel modules into the OS, it raises questions about the possible safeguards that need to be in place in addition to the internal testing, or lack thereof, of a single company.
This was a problem waiting to happen and it’ll likely happen again if we just chalk it up to a ‘mistake’ by a single company - and an ‘oops’ only impacting the company in question.
Do not deploy a "mandatory update" to your entire customer base at the same time. Do it in small sample cohorts and pause to see if there is trouble. Pay very close attention to those cohorts. Continue if there is no trouble.
If something nasty slips through your test procedures, at least this will minimize the damage, and give organizations time to recover.
I don’t disagree - you are correct. I suppose I’m asking from a more general perspective, Microsoft OS being so entrenched into so many systems - should there be some form of certification program before being released? Just trusting 3rd parties to not get it wrong allows clear risk.
I work in automotive. There’s standards regulations like U.N. R155 that is required in Europe. To sell cars there, a company is required to have a cybersecurity management system that is compliant with the regulation, and be audited by a 3rd party. Standards like ISO21434 provide the framework for cybersecurity in product development.
I’m not aware of such regulatory requirements, standards, or certifications in this instance / context.
Back in the old days, like say 10 years ago and before, yes, C++ code was riddled with manual memory management bugs that caused all sorts of issues just like this. But with current C++ standards, manual memory management is minimized, and in some cases totally eliminated.
Obviously whoever maintained the driver code uses techniques that even today's C++ programmers would frown upon.
If it is a C# programmer being forced to use C++, it's time to get nervous, not because C++ is inherently dangerous, it is because the C# programmer isn't aware or was taught about the new safety features introduced to C++ over the past 10 years or so, and the C# programmer is relying on dusty old C++ books and teaching material to guide them.
Ah yes, it was the ol NULL pointer from the memory issue.
Should have said it under the cone of silence
investopedia noted:
CrowdStrike (CRWD) short sellers made more than $373 million Friday after a defective update sent out by the cybersecurity company caused a global IT outage for Microsoft (MSFT) Windows hosts, according to research firm S3 Partners.
https://www.investopedia.com/crowdstrike-outage-microsoft-short-seller-stock-windows-8680960
Interesting post...thanks
LINT (a code checker) works wonders. Crowdstrike might look into this decades-old technology!
Sounds like their at the end of the line with their operation it’s understandable.
What a coincidence.
0000000009c is my bank balance
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.