The CrowdStrike Problem Isn’t A Simple Fix…

Поделиться
HTML-код
  • Опубликовано: 24 ноя 2024

Комментарии • 1,3 тыс.

  • @t3dotgg
    @t3dotgg  4 месяца назад +651

    Sorry about the frame rate issues, CrowdStrike took down my main recording rig and I had to do this on my Mac :(

    • @t3dotgg
      @t3dotgg  4 месяца назад +301

      TO BE CLEAR THIS IS A JOKE. My recording rig does run windows though… 🙃🙃🙃

    • @timk9847
      @timk9847 4 месяца назад +26

      BS First only Enterprise PCs and Servers were affected unless someone bought Crowdstrike. Second, only a fraction of devices with Crowdstrike were affected. I work for a major nonprofit Hospital and about 25% of our servers were affected. I spent 11 hours manually remediating servers because in a large enterprise environment, that can be a large number. But get the freaking facts right. The reason this was so impactful is that it was large corporations affected. And the fix was a very manual process since Microsoft had a "feature" that put everything into "recovery mode" after two failed boots.

    • @Duckless137
      @Duckless137 4 месяца назад +56

      @@timk9847What part of “to be clear this is a joke” did you not get? 💀

    • @joshuacheung6518
      @joshuacheung6518 4 месяца назад +14

      The whole thing

    • @rdvansloten
      @rdvansloten 4 месяца назад

      @@timk9847 everyone who installed this spyware willingly had it coming

  • @mrtnsnp
    @mrtnsnp 4 месяца назад +378

    To everyone cleaning up this mess: my condolences, may your weekend rest in peace.

    • @YourLocalAltAccount
      @YourLocalAltAccount 4 месяца назад +13

      Their weekends will probably be full of people complaining and PC boot looping

    • @dead-claudia
      @dead-claudia 4 месяца назад +10

      it's log4j all over again except it's actually crashing everything instead of hypothetically being possible to turn into a crash

    • @Warwck24
      @Warwck24 4 месяца назад +1

      😂😂😂😂

    • @a_lethe_ion
      @a_lethe_ion 4 месяца назад +1

      well at least if youre self employed (so you can demand a fuck this is my weekend surcharge)or live in any country with workers protections (aka not the usa or like india) you gonna get at leas weekend pays and overtime pay

    • @C.A._Old
      @C.A._Old 4 месяца назад +1

      Thank god that thing never happens to me because Thanks by my PC never get windows update.

  • @samcalder6946
    @samcalder6946 4 месяца назад +612

    This is the best named company in history. This is the exact same outcome as if the entire crowd went on strike.

    • @morsemurraidh1314
      @morsemurraidh1314 4 месяца назад +17

      The entire _IT Crowd_ ...?
      There was that episode where they borrowed (then dropped) *the internet.*

    • @notme8232
      @notme8232 4 месяца назад

      @@morsemurraidh1314 Bet the CrowdStrike CEO found some "irregularities in the pension fund" today

    • @nardu
      @nardu 4 месяца назад +3

      Would make a good movie title too.

    • @ZakiWasik
      @ZakiWasik 4 месяца назад +11

      Exactly! The company name sounds like the name of an exploit!

    • @ehm-wg8pd
      @ehm-wg8pd 4 месяца назад +3

      automatic update is just stupid

  • @kameronbrooks2372
    @kameronbrooks2372 4 месяца назад +325

    When I got multiple calls at 2AM I knew this was going to go down as one of the worst days in recent IT history.

    • @ioannischristovasilis3279
      @ioannischristovasilis3279 4 месяца назад

      Aouchh

    • @C.A._Old
      @C.A._Old 4 месяца назад

      Thank god that thing never happens to me because Thanks by my PC never get windows update.

    • @TheNew1234_y
      @TheNew1234_y 4 месяца назад

      ​@@C.A._OldYes, keep sending more dumb replies, because in the end, you don't know anything.

    • @goaliedude32
      @goaliedude32 4 месяца назад

      ​@@C.A._Oldthis never would have happened to you because there's absolutely no reason for you to have crowdstrike

    • @TimelapsingGames
      @TimelapsingGames 3 месяца назад

      @@goaliedude32 doesn’t windows as a company have crowdstrike?

  • @PatNeedhamUSA
    @PatNeedhamUSA 4 месяца назад +1019

    The largest disruption in human history caused by a missing try/catch block

    • @chinesesparrows
      @chinesesparrows 4 месяца назад +163

      Seriously windows acts like it has nothing to do with them but any driver issue can result in BSOD bootloop is ridiculous

    • @SahilP2648
      @SahilP2648 4 месяца назад +80

      @@chinesesparrows we would be in 2142 with probably Nuclear Fusion, a Mars and Moon colony, new space stations, BFR, multiple cures for cancer, synthetic lifeforms, probably alien contact, and we would still be running 120+ years old windows code 😕

    • @omri9325
      @omri9325 4 месяца назад +67

      Do you mean the windows code that loads drivers? What do you think the catch block should when it reads a file full of empty bytes? ignoring the file would mean booting up without the security features the system was supposed to have, the fault is mostly at crowdStrike

    • @chinesesparrows
      @chinesesparrows 4 месяца назад +45

      @@omri9325 i agree with that, just that pretty much any 3rd party driver can cause BSOD bootloop is a massive vulnerability. I dont know maybe MS could add a group policy that adds a standard flow where windows creates "driver backup point" before any new driver updates, if after driver update repeated BSOD revert to driver backup point and contain the problem driver with alert and log.

    • @azmah1999
      @azmah1999 4 месяца назад +70

      @@chinesesparrows No? It's a driver with kernel access. This makes the driver very powerful but also makes crashes easier, due to the fact that the OS cannot babysit it. I'm pretty sure you can cause a kernel panic on linux by writing a bad driver as well

  • @AndrewEddie
    @AndrewEddie 4 месяца назад +213

    Definitely a "zero" day problem.
    The only things saving CrowdStrike from a class action is most law firms are Windows users too :)

    • @DanielSmith-lv5ed
      @DanielSmith-lv5ed 4 месяца назад +6

      Crowdstrike says "hey, they didnt respond like this during covid/bitcoin. Which was also highjacked, but nobody said anything and everyone joined in for the fun. Lmao
      It may not have even been on purpose

    • @Jimothy-723
      @Jimothy-723 4 месяца назад +12

      @@DanielSmith-lv5eddoesnt matter. this level of negligence is actualy criminal. somone will go to prison over this.

    • @lashlarue7924
      @lashlarue7924 4 месяца назад +5

      😂😂

    • @CHURCHISAWESUM
      @CHURCHISAWESUM 4 месяца назад +15

      Apparently an idiot dereferencing a null pointer and another senior idiot pushing it to production past code review is now a “zero day”
      No it’s just a really obvious bug. There was no hacker here unless the bad code was intentionally put there by the employees in order to sabotage the company. So if there’s any hack, it’s internal.

    • @monad_tcp
      @monad_tcp 4 месяца назад +1

      ​@@Jimothy-723 what , criminal negligence , last week there was that event and the person in command got no punishment nor lose their job for that absurd amount of negligence.

  • @michaelgebauer5235
    @michaelgebauer5235 4 месяца назад +71

    Sending out a sys file filled with nulls looks to me like sabotage

    • @dead-claudia
      @dead-claudia 4 месяца назад +27

      or a failure of automation
      sending out nulls is something that 100% should've been detected before it got sent out, tho.

    • @D0XXX4
      @D0XXX4 4 месяца назад +1

      The file wasn’t full of nulls.

    • @celiem4352
      @celiem4352 4 месяца назад

      YES IT "WAS SABOTAGE" YOU ARE SPOT ON. PEOPLE ARE SO EASILY FOOLED, IT'S INCREDIBLE. I KNEW IT IN MY GUT. NO ONE CAN CONVINCE ME THAT IT WASN'T SABOTAGE. OH, EXCUSE MY CAPS PLEASE. I CAN'T SEE THE SMALL LETTERS WELL ENOUGH TO USE THEM. GOD BLESS YOU FOR THE TRUTH

  • @AvanaVana
    @AvanaVana 4 месяца назад +97

    I literally just turned down an offer from Crowdstrike two weeks ago in favor of another job offer…it was a tough decision to make at the time but now it’s definitely looking like I made the right decision! 😬

  • @gorak9000
    @gorak9000 4 месяца назад +373

    Crowdstrike is ransomware, they just have a different payment plan. You pay up front for the privilege of being ransomwared at some unknown point in the future. Turns out the unknown point in the future was today! Surprise!

    • @gorak9000
      @gorak9000 4 месяца назад

      The other problem is not just bitlocker, but if your company locked the microsoft account so you can only sign in from company devices to get the recovery key, but all your company devices are hosed. I can sign into the account from my personal linux box, but it just says it's restricted, and I can't do anything, or get the recovery key. I was on hold with IT support for hours today, and at one point, the phone system hung up on everyone, and calling back the number went to a busy signal for the next hour. I spent 3 more hours on hold with IT, and they either answered when I went to get something to eat, or hung up on me again. What a cluster F

    • @growtocycle6992
      @growtocycle6992 4 месяца назад +23

      It's how McAfee works on all the PCs of retired folks I know, who installed this "shiny, free antivirus software." 🤦

    • @Walter_
      @Walter_ 4 месяца назад +13

      LOL call it reversalware

    • @LutherDePapier
      @LutherDePapier 4 месяца назад +3

      This is facts.

    • @jacquelinel1618
      @jacquelinel1618 4 месяца назад

      And don’t forget that Crowdstrike was responsible for the 2016 story that Russia hacked the DNC in order to get dirt on Hillary and favor Trump. Which was a lie.

  • @kwilt
    @kwilt 4 месяца назад +15

    I literally spent my entire friday manually fixing computers and explaining to people at remote locations how to fix their computers. Our entire IT department became helpdesk because of this update. You don't know the pain of explaining to a non-tech person over the phone - how to make a bootable USB, boot to it, and then enter their bitlocker recovery key so they can delete a file via command prompt until you've done it personally. I got to do that dozens of times on Friday and theres going to be lots more of this for the foreseeable future... I cannot express how much this sucks to fix even though its a relatively simple fix. It just can't be automated and it's horrible for that reason.

  •  4 месяца назад +96

    They failed to do a smoketest of their agent after build but before deploying it worldwide. Sounds like their software and update development process is just really not up to professional software engineering standards. At Meta, we had to have other engineers, sometimes multiple, review diffs before they would be accepted. And then there were multiple layers of CI/CD testing before exponential deployment with canary testing. You don't just push new code to all the machines all at once, because it's way too dangerous.

    • @grastant6819
      @grastant6819 4 месяца назад +8

      And deployment of system files, much less kernel level files should have a hash/checksum too, no?

    • @Montoyax
      @Montoyax 4 месяца назад

      And still they fucked up all their systems for a DNS error

    • @mjwchapman
      @mjwchapman 4 месяца назад +6

      things go wrong even after full in-house testing. that's why you have canary testing and phased roll outs. the ceo comes across as totally disingenuous and is ultimately the reason for the company's poor practices.

    • @momchilandonov
      @momchilandonov 4 месяца назад +2

      It's weird how they got to around 80 billion $ market cap with this incompetence!

    • @momchilandonov
      @momchilandonov 4 месяца назад

      @@grastant6819 this wasn't a kernel level driver/file. The .sys is misleading.

  • @einargs
    @einargs 4 месяца назад +222

    I mean, all the malware also targets windows because that's the big user facing desktop OS.

    • @itsmefrancois6825
      @itsmefrancois6825 4 месяца назад +39

      That's the biggest reason. I bet he can't even name 3 reasons why Windows is much more vulnerable than the other OS

    • @haroldcruz8550
      @haroldcruz8550 4 месяца назад +24

      Linux runs most of the world's servers though. Cyber criminals alwyas go for the path of least resistance and that's what Microsoft provides.

    • @torquetheprisoner
      @torquetheprisoner 4 месяца назад +5

      crowdstrike did the same thing to mac and Linux as well

    • @benheidemann3836
      @benheidemann3836 4 месяца назад +5

      @@torquetheprisoner when was this? Can you link to news articles?

    • @J-wm4ss
      @J-wm4ss 4 месяца назад

      ​@@benheidemann3836you can google "red hat crowdstrike", it states that the driver works in kernel mode and user mode

  • @thezoidmaster
    @thezoidmaster 4 месяца назад +98

    the fact that one company can take everything down like this is scary, one bad actor and this could've been a mass malware attack instead of a simple driver error

    • @blakenolingberg1556
      @blakenolingberg1556 4 месяца назад +11

      Nope. Crowdstrike had this access because they were trusted. Malware doesn't get to waltz this close to the kernel as easily.

    • @monad_tcp
      @monad_tcp 4 месяца назад +6

      ​@@blakenolingberg1556 that was the mistake.
      Don't trust anything running on the ring0 that's third party, except drivers made by the vendor.
      No toy software or rootkit is allowed.

    • @CRhetorix
      @CRhetorix 4 месяца назад

      Capitalism market innovation... this is freedom of choice... The truth is corporate American hates competition, and capitalism always produces monopoly.

    • @dead-claudia
      @dead-claudia 4 месяца назад +1

      @@monad_tcplotta people run this due to legal obligation, and crowdstrike has historically been far better than their competition (let that sink in)

    • @Warwck24
      @Warwck24 4 месяца назад

      No - Microsoft have a security feature if bad data updates it's designed to crash. Falcon - it's been busy - on this direction for a while I'd guess

  • @MasterOfMisc
    @MasterOfMisc 4 месяца назад +36

    The problem with the bootable USB thing is that a lot of corporate devices block booting from USB by default, which means the IT Team would have to tell the end user the BIOS password to get into the BIOS to change the boot order to enable booting from USB. Its a total nightmare!

    • @BryanK-y5y
      @BryanK-y5y 4 месяца назад

      Would the block not be a gpo ? So won't apply to a local admin or admin profile

    • @Micloren
      @Micloren 4 месяца назад +3

      Most companies I’ve been around weren’t secure enough to lock the BIOS.

    • @Micloren
      @Micloren 4 месяца назад

      @@BryanK-y5yBIOS loads before the Windows OS.

    • @MrThebigcheese75
      @MrThebigcheese75 4 месяца назад +10

      Yeah, as a former IT support bod in logistics, taking a user through the steps will be painful and in some cases practically impossible.
      Can you get into safe mode please, power on the computer, wait eight seconds, hold power to turn off. Repeat again.
      Err, it's not coming on again. Oh, it's is now, oh god blue screen again.
      We need to start again.
      Warehouse bod, eff this you'll have to come over and do it.
      That's before you even get to bit locker and talking though command line. Lots of journeys will be happening this weekend.

    • @BoStark
      @BoStark 4 месяца назад +1

      Just use PXE.

  • @erroneum
    @erroneum 4 месяца назад +216

    I mean, Windows might be the least secure how most people use it, but there's another huge facet to why it's the target of randsomware: it's absolutely dominates the end-user/workstation market, especially when you are wagering the victim can't just restore from a backup and ignore you.

    • @Texas3Percenter
      @Texas3Percenter 4 месяца назад +20

      It's purposely written like swiss cheese, full of back doors and vulnerabilities so they and intelligence agencies can access your computer any time they want. Linux is not. So, Linux users don't have to worry about viruses or malware and don't have to put middle-man software between them and their machines to protect them from their malware/spyware OS. The only thing I use on my Linux servers is a firewall and Fail2Ban to prevent brute force pwd cracking.

    • @unaquetzadilla
      @unaquetzadilla 4 месяца назад +40

      ​@@Texas3Percenter This specific issue is not exclusive to Windows. This is an issue of operating systems architecture and how drivers are able to run in Kernel mode. Falcon have Kernel driver for Linux, Windows and macOS. The IT departments of companies are asking the OS to load Falcon driver an allow it to run in Kernel mode, allowing it to watch for user data but also enabling it get OTA updates and not able to choose of get or not the update. Same bad driver could be for Linux or macOS.

    • @J-wm4ss
      @J-wm4ss 4 месяца назад +6

      ​@@unaquetzadillaalso, macOS still needs antivirus/endpoint protection. It just works a bit different and the audience of people who get MacBooks at work is probably more technical

    • @markcruise
      @markcruise 4 месяца назад +26

      Just what I was thinking. The reason Windows is targeted more is because it’s sitting on 73% of desktops. The PC Security channel showed that malware vendors absolutely have Linux versions of their tools. It is not immune.

    • @marcus141
      @marcus141 4 месяца назад +2

      ​@@unaquetzadilla​What you said is partly true. In my previous role, I deployed crowdstrike for a major broadcaster and one common misconception in all of this, is that crowdstrike can push updates to customer endpoints without their knowledge or consent. It's simply not true. Endpoint management is handled centrally by IT admin and we can choose if we want to use the latest Falcon sensor version or not. You can of course configure crowdstrike to auto update the sensors but that would be ludacris.

  • @Atomicjtx
    @Atomicjtx 4 месяца назад +38

    I was dealing with this today as an IT tech. Oh boy, What a joke. Took around 20 minutes on average per person affected. Since hundreds of devices were affected it made for a long day... :(

    • @joeypritchard6320
      @joeypritchard6320 4 месяца назад +2

      😮😮😮😮

    • @theairaccumulator7144
      @theairaccumulator7144 4 месяца назад +1

      20 minutes? You could've set up a few rubber ducky USBs to automatically run those commands.

    • @sirklatt
      @sirklatt 4 месяца назад

      @@theairaccumulator7144 He gets paid by the hour

  • @jasonfreeman8022
    @jasonfreeman8022 4 месяца назад +59

    Where in the hell is the testing cluster they should have deployed to first? CrowdStrike should deploy their Falcon updates to all their own machines and if they don’t BSOD after a week THEN release to the entire galactic empire.

    • @Betadesk
      @Betadesk 4 месяца назад +22

      Yeah, I was gonna say don't they do gradual deployment? To like 1% of machines first, then 10%, 25% etc. or at least some A/B testing damn

    • @piquat1
      @piquat1 4 месяца назад +9

      Lets accept for a second that they did that, because they probably did, they've been doing this for a while. They probably did NOT send out a null file. So somewhere between them releasing it and the end users getting it, it got nulled out. That's where the problem was. Azure went down right before all this happened...

    • @AZaqZaqProduction
      @AZaqZaqProduction 4 месяца назад +9

      This is tough because as an antivirus you want updates deployed as quickly as possible. If some new exploit comes out you wouldn't want your customers to be vulnerable to it for over a week.

    • @jasonfreeman8022
      @jasonfreeman8022 4 месяца назад +3

      If they tested, then they either didn’t test what they were deploying or they didn’t deploy what they tested. This is a basic control problem. I have had to point out to management numerous times that whatever cockamamie plan they have for maintaining a claim that the product was tested, that they weren’t testing what they were deploying. That internal process needs to be seriously scrutinized.

    • @mjwchapman
      @mjwchapman 4 месяца назад +1

      @@piquat1 i cannot believe they were smart enough to do a phased roll out, but then neglect a simple hash check of the deploy-able. the evidence suggests they did neither.

  • @lcarsos
    @lcarsos 4 месяца назад +119

    uh, no. Crowdstrike on mac is just as deep, and slows down my work mac just as much.

    • @ivocass4332
      @ivocass4332 4 месяца назад +28

      Shhh, man. Macs are suposed to be fancy.

    • @lcarsos
      @lcarsos 4 месяца назад +23

      @@ivocass4332 it's a very slow, hot, but pretty piece of aluminum after corporate IT gets to it. XD

    • @karmatraining
      @karmatraining 4 месяца назад +2

      Oh that suuuuuuuuucks

    • @petargolubovic5300
      @petargolubovic5300 4 месяца назад +4

      But it difference is that is doesn't run on kernel level. Mac and Linux have fixed this particular problem long ago

    • @brandonn.1275
      @brandonn.1275 4 месяца назад

      ​@@petargolubovic5300 Agreed Mac booted Anti-,virus software from the kernel after creating an endpoint security API for them to use and Linux has ebpf hooks and bpf programs to screen for AV to screen for potentially malicious activity with a guarantee that they can't crash the kernel (bpf programs have strict security/stability guarantees while being non-turing complete)

  • @stephenjames2951
    @stephenjames2951 4 месяца назад +89

    hey grandma, all you have to do is start up in safe mode, grandma? Grandma?

    • @kinamonsterrawr
      @kinamonsterrawr 4 месяца назад +9

      Honestly, when I was an i.t. call center tech, the older people could often be counted on to listen to my instructions and not go off script. It depended on the person of course, but I was often able to wrangle an older person to listen. 😅

    • @firstprib7742
      @firstprib7742 4 месяца назад +5

      Grandma just rebooted into safe mode

    • @andrewreed1329
      @andrewreed1329 4 месяца назад +6

      grandmas on mint

    • @torquetheprisoner
      @torquetheprisoner 4 месяца назад +1

      grandma:beeeeeeeseeeseeeeeeeeeeeee

    • @kattmilk
      @kattmilk 4 месяца назад +3

      Please be patient: Grandma is busy beta testing in production. 😅👵🏾

  • @WilkinsonX
    @WilkinsonX 4 месяца назад +19

    Our company installed CS on thousands of Windows clients recently. A few weeks ago they uninstalled it because it was causing massive system performance issues. Giant bullet dodged.
    On the Windows side, it's just nuts that any driver causing continual stop errors is not auto disabled /quarantined by the OS.

    • @dead-claudia
      @dead-claudia 4 месяца назад +8

      are you sure you aren't neo? bc that's some wicked bullet dodging ability

    • @tiredguy709
      @tiredguy709 4 месяца назад +1

      The driver affects the boot process which is why it wouldn’t fail until a restart. Cant auto detect a failing driver before that driver gets used by the system.

    • @bltzcstrnx
      @bltzcstrnx 4 месяца назад

      Kernel drivers will cause severe problems on any OS, not just Windows. Just search RHEL CrowdStrike if you don't believe it.

    • @Kas-tle
      @Kas-tle 4 месяца назад +3

      Most drivers do not, but generally AVs mark theirs as a boot driver, so the system cannot boot if it is failing. So it's not just "any driver" as you state.

    • @paavobergmann4920
      @paavobergmann4920 3 месяца назад

      The fact it has to be implemented as a driver at all is nuts.

  • @koyotecow7102
    @koyotecow7102 4 месяца назад +46

    They don't want to apologize cuz they don't want to admit fault and open them up to lawsuits.

    • @momchilandonov
      @momchilandonov 4 месяца назад

      Their asses are already opened up to lawsuits big time! 3 billion in cash $ watch it evaporate! Their customers are now PUBLIC DATA which is a huge liability for their future cash flows too.

    • @debbyolivier5122
      @debbyolivier5122 4 месяца назад

      too late for that! this company shoudnt exist in the future!

    • @celiem4352
      @celiem4352 4 месяца назад

      THEY'D NOT BE ABLE TO "PAY FOR ALL THE QUATRILLIONS OF DOLLARS LOST😂

  • @aronjacobson5403
    @aronjacobson5403 4 месяца назад +138

    loved the title "The day the world went blue"

    • @LagowiecDev
      @LagowiecDev 4 месяца назад +7

      Video with that title is delisted

    • @aronjacobson5403
      @aronjacobson5403 4 месяца назад +5

      @@LagowiecDev yeah i know i just loved that title this one doesnt flow off the tounge like that one did

    • @t3dotgg
      @t3dotgg  4 месяца назад +30

      I loved that title and will likely change back to it. This one's performing way better though :(

    • @aronjacobson5403
      @aronjacobson5403 4 месяца назад +2

      @@t3dotgg :)

    • @koto9x
      @koto9x 4 месяца назад +4

      just make it ur description or a pinned comment

  • @ValZarGaming
    @ValZarGaming 4 месяца назад +49

    "Windows is the only OS that is insecure enough to have problems like this"
    Let me tell you why that's bullshit - Crowdstrike did this to our production Linux fleet back on April 19th.

    • @theoryianabsolute8777
      @theoryianabsolute8777 4 месяца назад +1

      Don't say something like that that's unpresedented

    • @JustSomeGuyCG4
      @JustSomeGuyCG4 4 месяца назад

      Biased video for sure, but any opportunity to bash Windows they take it!

    • @ValZarGaming
      @ValZarGaming 4 месяца назад +2

      @@theoryianabsolute8777 I do not believe that word means what you think it means. This has as of now also been confirmed by other news sources.

    • @liam3284
      @liam3284 4 месяца назад

      Accessing a CIFS share did this to a few of our linux boxes last month. Cause was a broken kernel "security update".

  • @jhcato
    @jhcato 4 месяца назад +133

    Let's not forget all the people who probably put their very important bit locker passwords... inside of their bit lockers.

    • @tatumsh9
      @tatumsh9 4 месяца назад +9

      Thats why they call IT. The amount of people who do not know how to log in to their work email on their phones so I dont have to read out their 69000 digit recovery key is incredible... and then hope to god that they wrote it down correctly or heard you correctly... and then hope to god that they enter it correctly so that 75 year old Dorothy doesn't have to be talked through booting into safe mode again BEFORE you have to talk her through deleting a file.

    • @morsemurraidh1314
      @morsemurraidh1314 4 месяца назад +1

      So, there was this episode of _The Munsters_ that followed the same idea...
      They wound up blowing up a very expensive antique box to find a video cassette (and not a heap of treasure).

    • @rlstrength
      @rlstrength 4 месяца назад +11

      There was a post on reddit about a huge org that has the bitlocker keys on a box with bitlocker and they don't know where the key for the centralized box is because the documentation is also behind bitlocker

    • @monad_tcp
      @monad_tcp 4 месяца назад +2

      I did that by mistake once, I stored by password database on the bit locker drive, the bit locker password was on the password database.
      Lucky I have a offline backup of the password database.

    • @gorak9000
      @gorak9000 4 месяца назад

      @@tatumsh9 Or maybe the company shouldn't limit the microsoft account to only be accessed from company devices, when the only company device is hosed! Sure, don't allow access to everything, but they could allow access to the damn recovery key. Also if I have the company email setup on the phone, then it creates a huge nightmare in outlook making me authenticate on the phone every time to use outlook on the pc - I discovered by accident (when the company "mistakenly" removed email from everyone's phone) that not having it on the phone solved all the auth issues on the PC too, so I just left it off the phone. I don't need company email on my phone 24/7 - company email is only for during work time on the PC

  • @MultiMojo
    @MultiMojo 4 месяца назад +258

    Root cause analysis - 1) Using Windows for mission critical work in 2024 2) Terrible code that somehow made it past code review 3) Build system that corrupts files 4) No validation checks prior to rollouts 5) Rollouts to the entire install base rather than a staged rollout

    • @gorak9000
      @gorak9000 4 месяца назад +32

      I've never anywhere seen a build system that produces a file of the right size, but filled with all 0's - how does that even happen?

    • @lashlarue7924
      @lashlarue7924 4 месяца назад +26

      It's WILD to me that so many big companies have built critical business infrastructure around Windows. I do it for my little piddly business but I'm aware of the shortcomings!

    • @JacobProbst-z2l
      @JacobProbst-z2l 4 месяца назад +21

      @@Jimothy-723 1. DEI isn't a word, it's an acronym. 2. These kind of issues occurred long before 'DEI' was a thing, so how do you explain those issues if this is obviously because of DEI? I'll wait.

    • @timk9847
      @timk9847 4 месяца назад +14

      1-4 are BS, but 5 is on point

    • @qwaszx2
      @qwaszx2 4 месяца назад

      @@JacobProbst-z2l DEI is just an acronym for affirmative action. It's always been a thing in the internet age. Sorry that you're wrong. It's more prevalent today since there are few qualified white males willing to work for crap wages.

  • @cheekoandtheman
    @cheekoandtheman 4 месяца назад +30

    Crowdstrike painted the town BLUE !

  • @redeuxx_
    @redeuxx_ 4 месяца назад +46

    Linux versions of Falcon also hook into the kernel. Talking about how this fuck is somehow because it is Windows is disingenuous. Why can't we just blame Crowdstrike and just Crowdstrike instead of bringing up and blaming Microsoft?

    • @kipoyedcl
      @kipoyedcl 4 месяца назад +12

      i wholly agree with you, this guy just wanted to hate just because its windows, i also don't like windows myself but its pretty disingenuous to blame Windows when its not their fault.

    • @Abaddon231
      @Abaddon231 4 месяца назад +4

      He didn't blame windows , he said they are the most insecure OS on the market , and that's why software like Falcon exists

    • @redeuxx_
      @redeuxx_ 4 месяца назад +13

      @@Abaddon231 falcon also exists on Linux and Mac. Is Falcon there because of Windows? Falcon exists because there are malicious actors, not because Windows exists. Then he mentions kernel drivers without acknowledging that this also happens on Linux and the fact that if you want a solution like Falcon, they should hook into the kernel, because that is how they can most effectively do their job. Or why bother having and EDR at all. He would have been able to effectively convey his message instead he went all mainstream media ranting about Windows. This shit isn't his forte, but he still has a take on it. Low Level Learning has a much better and nuanced take on this.

    • @brandonn.1275
      @brandonn.1275 4 месяца назад +8

      Falcon on Linux uses ebpf hooks which can't crash the kernel (they have extraordinarily strict guarantees, restrictions, and limitations that would prevent an ebpf program from doing that, they aren't even turing complete)
      Apple on the other hand has an API for AVs to do their job and doesn't permit them from installing a driver.

    • @redeuxx_
      @redeuxx_ 4 месяца назад +8

      ​@@brandonn.1275 Falcon on Linux in User Mode uses eBPF. There are still many systems that use Kernel mode. Although Falcon is transitioning to User Mode, Kernel Mode is still officially the default mode for Falcon on Linux. Per official CrowdStrike docs. Many of my Linux systems still use Kernel Mode.

  • @BinaryReader
    @BinaryReader 4 месяца назад +20

    "Pretty much every PC in the world just BSOD" - Incorrect, only PC's that ran CrowdStrike.

  • @WillDelish
    @WillDelish 4 месяца назад +25

    This is going to be a LONG weekend for some folks in tech

    • @aug.jam.1
      @aug.jam.1 4 месяца назад +7

      Weeks sir... weeks

    • @Texas3Percenter
      @Texas3Percenter 4 месяца назад +3

      No one goes home til this is fixed!

    • @haroldcruz8550
      @haroldcruz8550 4 месяца назад +5

      I'm a glass half full type of guy. At least now companies know how important their IT are

    • @cabpacedilla
      @cabpacedilla 4 месяца назад +2

      i guess this takes time because fix need to be done manually on every computer

    • @aug.jam.1
      @aug.jam.1 4 месяца назад

      @@cabpacedilla yeap

  • @ellipsis...1986
    @ellipsis...1986 4 месяца назад +44

    My favourite part of the disappearing air traffic example is that while they will occasionally get crippling downtime from their infrastructure, Southwest still running primarily Windows 3.1 with a sprinkling of Windows 95 here and there rather isolated them from the CrowdStrike issue.

    • @bullpup1337
      @bullpup1337 4 месяца назад +4

      surely that is a joke… surely…??

    • @Ignisami
      @Ignisami 4 месяца назад +18

      ​​@@bullpup1337 of course. No way southwest is running something as modern as windows 3.1 :p

    • @dead-claudia
      @dead-claudia 4 месяца назад

      @@bullpup1337🙂

    • @mollusckscramp4124
      @mollusckscramp4124 4 месяца назад

      Once again Southwest comin in for the win

    • @SirWickMusic
      @SirWickMusic 4 месяца назад

      @@Ignisami Actually, they are

  • @lashlarue7924
    @lashlarue7924 4 месяца назад +5

    OMFG, Theo thank you I had no idea how terrible this was!! The encrypted bitlocker problem is absolutely horrendous! Oh my god, I could maybe get this sorted but most people definitely can't, this is BAD!

  • @joshuathomasbird
    @joshuathomasbird 4 месяца назад +11

    its shockingly inept. the fact they did a rollout with no percentage based rollout and metrics on how the rollout was performing and no rollback plan is literally insane and then on top of that the fact their deploy pipeline distributed this with tests either not run or failed.... makes it seem like theres more to this story than just oh we just pushed some bad code.
    There are safeguards in code and policy that should prevent this.

    • @joshuathomasbird
      @joshuathomasbird 4 месяца назад

      also the fact it's literally *in* the kernel and not something like ebpf where it can have hooks in the kernel and have saftey guarantees about it not crashing the computer... thats microsoft fault for writing a steaming pile of bitrot masquerading as an operating system.

    • @jeronimo196
      @jeronimo196 4 месяца назад

      once you remotely brick a pc, the rollback becomes difficult...

    • @joshuathomasbird
      @joshuathomasbird 4 месяца назад +1

      @@jeronimo196 thats why its also done as a percentage rollout.

  • @JonitoFischer
    @JonitoFischer 4 месяца назад +28

    Crowdstrike is the company that shuts down your computer when you're hacked, and they wont allow it to turn on until they check manually how bad is the hack...

    • @D0XXX4
      @D0XXX4 4 месяца назад

      We don’t shut it down, we hit a button labelled “network containment” which only allows it to communicate with the admin dashboard for forensic analysis. Your MSSP should be ringing you immediately if they have to use network containment

    • @liam3284
      @liam3284 4 месяца назад

      Yep, and since it is using a heuristic, there may not be a hack at all. It's arbitrary DOS

  • @goldguilder9554
    @goldguilder9554 4 месяца назад +1

    Imagine a robotaxi malfunction due to crowdstrike

  • @ARandomUserOfThisWorld
    @ARandomUserOfThisWorld 4 месяца назад +134

    Lesson learned: use Linux (I use arch btw(I use arch btw))

    • @dyto2287
      @dyto2287 4 месяца назад +7

      After using Linux for 10 years and Arch for 5 years I will say... use Mac instead. If you need something linux or windows specific you can spin up a vm with Parallels. And overall, mac laptops lasts long and have overall great performance & build quality. As for servers - linux is the only choice.

    • @connerreimers6506
      @connerreimers6506 4 месяца назад

      What if I want to play Elden Ring ​@@dyto2287

    • @lck0ut348
      @lck0ut348 4 месяца назад

      @@dyto2287 That or, if you do want to use Linux, just use ubuntu.

    •  4 месяца назад +9

      looks like you use lisp btw too

    • @quinndirks5653
      @quinndirks5653 4 месяца назад +11

      ​@@dyto2287Until your display cable is too short and rips when you open it and apple won't cover it under warranty... Not to mention the throttling that occurs because they don't put fans in their laptops. Hope you didn't need performance...

  • @somerandompersonintheinternet
    @somerandompersonintheinternet 4 месяца назад +13

    WOW. I'm a developer currently on vacation, and I'll be back to my job on Monday. My computer has been off for the past two weeks so I guess I'm lucky? Assuming right now they are no longer shipping the bad update and I can safely turn on my PC, but will definitely make sure next week!

    • @Texas3Percenter
      @Texas3Percenter 4 месяца назад +3

      Lol, you dodged a bullet, brother!

    • @IAT1964
      @IAT1964 4 месяца назад +2

      Disconnect from internet and then boot up.

    • @bmanpura
      @bmanpura 4 месяца назад

      They fixed it. I just booted my computer no problem after not using it at all for the past 2 days.

    • @Warwck24
      @Warwck24 4 месяца назад

      Urrrgh must check mine grrrr

    • @Sandy-o4p
      @Sandy-o4p 4 месяца назад

      Unplug it from the internet when you boot, and then turn off the updates.

  • @JamieHicks154
    @JamieHicks154 4 месяца назад +22

    One point to make, (I am a Mac user so don’t come at me 😂) Microsoft has the biggest market share for desktop by a large margin so make sense for hackers to focus on them, not sayings it shouldn’t be more secure but also theywill get bigger focus from hackers just due to market share

    • @haroldcruz8550
      @haroldcruz8550 4 месяца назад +9

      Linux runs most of the world's servers though. If Linux is much more vulnerable than Windows it would make more sense to focus on Linux since you can have more control. The thing is Windows simply is a lot less secure and more prone to crashes like this.

    • @DimkaTsv
      @DimkaTsv 4 месяца назад

      ​@@haroldcruz8550 you know, it is much harder to trick user to install malware on server, than it is to make user to launch it on own PC.
      Which is, coincidentally, predominantly Windows.

    • @bltzcstrnx
      @bltzcstrnx 4 месяца назад

      ​@@haroldcruz8550Linux flaws are invisible to the general public and end-user Linux enthusiasts. That said, there are many well known attacks on servers.

  • @aryankothari4634
    @aryankothari4634 4 месяца назад +14

    its insane that crowdstrike didnt integration test the update, and even more insane that mission-critical infrastructure is OK with automatic OTA patches.

    • @SirWickMusic
      @SirWickMusic 4 месяца назад

      How in the WORLD do you not test the system BEFORE you send it out. CRAZY!

    • @liam3284
      @liam3284 4 месяца назад

      Doesn't Microsoft force updates on their Windows users too?

  • @TallinuTV
    @TallinuTV 4 месяца назад +4

    “Pretty much every PC in the world”… What? No. Nobody’s home computer would have CrowdStrike software. No Mac or Unix or Linux systems would be affected. The number of business computers running Windows with this software loaded is absolutely mind-boggling, though. I mean, we’re in seriously WTF territory. I hope people can get things straightened out quickly, especially for the more critical areas.

  • @MexMario
    @MexMario 4 месяца назад +4

    CrowdStrike engineers: “Update is ready, let’s deploy it to the world Friday morning, and let’s test on production”

  • @ZachFrank714
    @ZachFrank714 4 месяца назад +6

    There was an issue with CrowdStrike on Debian several months back, that caused the OS to not boot… This isn’t the first time CrowdStrike has massively broken an operating system

    • @liam3284
      @liam3284 4 месяца назад

      Their reaction to that issue suggested they really did not care. It should have been a red flag.

  • @darkshoxx
    @darkshoxx 4 месяца назад +9

    And Hammond gets a shoutout here as well 😎. Also, great video of course, really enjoyed the take on how to and how not to communicate in such a situation.

    • @t3dotgg
      @t3dotgg  4 месяца назад +3

      Absolutely! If I didn't shout him out in the video directly that was an absolutely L on my part

    • @darkshoxx
      @darkshoxx 4 месяца назад +1

      @@t3dotgg Nono, you did, 12:40 👍Hammond collab when? 😉

  • @jgndev
    @jgndev 4 месяца назад +1

    Companies that run something like CrowdStrike often use BitLocker AND have take measures to block USB devices. You have to lock a Windows down way more to be ‘compliant’ for auditing

  • @miquelfire
    @miquelfire 4 месяца назад +5

    If you search hard enough, you'll find that there were two Linux Distros that got a bad update from CrowdStrike that resulted in the same issue. I think I read that it was cases of kernel panics in this case.

  • @RickOShay
    @RickOShay 4 месяца назад +1

    3rd party access to kernel mode plus cloud service = recipe for disaster. Crowdstrike - aptly named - soon to be a Null company pointer.

  • @RonnieDenzel
    @RonnieDenzel 4 месяца назад +20

    RIP to the intern😢

    • @TheJFerg24
      @TheJFerg24 4 месяца назад

      If an intern did the coding or deployment, then their supervisor needs to be in big trouble.

  • @garydrago
    @garydrago 4 месяца назад +5

    At first glance this is actually hilarious to see, but I feel so bad for the patients at hospitals affected by this. That's the worst part. Sometime like this will literally cost lives. Crazy

  • @vivekbernard
    @vivekbernard 4 месяца назад +18

    One thing though, using a kernel mode driver is not exclusive to crowdstrike. Many other AV/EDR systems use drivers as well.
    In fact a very similar thing happened with Symantec a while ago.

    • @brandonn.1275
      @brandonn.1275 4 месяца назад +7

      At this point windows is going to need to boot Anti- virus software out of the kernel and provide an API for AVs to do their job instead of having them insert a driver into the kernel.
      This is what Mac did when they booted AV vendors from the kernel after publishing an endpoint security API for them to use.
      Linux has something similar in the form of ebpf hooks and bpf programs that can run in Kernelspace while being guaranteed to be unable to crash the kernel.

    • @dead-claudia
      @dead-claudia 4 месяца назад +4

      iirc even linux security software sometimes needs kernel mode drivers.
      stuff like cloudstrike can avoid needing a driver on linux bc they can just use ebpf tho. mac still needs a kernel driver.

    • @JSmith73
      @JSmith73 4 месяца назад +3

      Yeah the affected CS update just happened to target a Windows named pipe vulnerability, so in this case only Windows was updated.
      So to just blanket blaming using Windows like OP did is a bit lazy. Their Apple and Linux customers just got lucky.

    • @theairaccumulator7144
      @theairaccumulator7144 4 месяца назад

      @@JSmith73 macbrained webdevs can't see the world as it actually is. They're used to rewriting their entire app (which is just plumbing between AWS, databases and APIs) in the latest JS framework every 3 months. They don't realize that most legacy vendor software which is what the world actually runs on is a piece of crap and was written by a team of 10 contractors over a few months for a specific pentium windows xp machine in 2005 and has become a mountain of hacks and patchwork because management doesn't want to spend money on improving it.

    • @brandonn.1275
      @brandonn.1275 4 месяца назад

      @@dead-claudia Mac doesn't allow AVs into the kernel anymore instead they published an API for them to use and won't allow AVs to install kernel extensions anymore. In fact kernel extensions have been deprecated for a while now and only userspace system extensions can be installed.

  • @wckvn
    @wckvn 4 месяца назад +9

    Running bit-locker feels more like a "Hurt Locker"...

  • @temp50
    @temp50 4 месяца назад +6

    3:40 Not true. Falcon sensor is available for Mac and for Linux too. The real reason that it has happened on Windows only, because 1.: CrowdStrike seemingly made a mistake only in the Windows driver, 2.: Windows is waaaay more popular in businneses (both server and desktop side) than anything else.

  • @WiseWeeabo
    @WiseWeeabo 4 месяца назад +8

    this seems like one of those applications where you'd expect every pull requests to go through a "committee" such that you don't have some one-guy write a bug into the code..

    • @nineflames2863
      @nineflames2863 4 месяца назад +6

      Or malware. Seriously, if this could happen due to some stupid mistake, imagine how bad it would have been if an actual bad actor had social engineered their way into position to abuse the hell out of it.

    • @liam3284
      @liam3284 4 месяца назад

      Or there is a nice vulnrability sitting there for malware to poke at. I'm sure Falcon is going to be put through some fuzzing by the bad black hats.

  • @kuro0021
    @kuro0021 4 месяца назад +3

    Problem with bootable USB device is that, a lot of corporate systems also disable USB for security reasons, this gets more interesting 😂

  • @corymollak2093
    @corymollak2093 4 месяца назад +1

    The real questions that everyone should be asking is ...... What happened during, DURING the bootloop, because that's when anyone can access ANYTHING....and yesterday was an entire day of chances!

    • @nicejungle
      @nicejungle 4 месяца назад

      there is no network, genius, that's why, this problem cannot be remotely fixed

    • @corymollak2093
      @corymollak2093 4 месяца назад

      @@nicejungle 😄😆🤣

  • @brentlidstone1982
    @brentlidstone1982 4 месяца назад +18

    Every single time something really shitty like this happens.. almost without fail. EVERY SINGLE TIME: Look at the education of the CEO.
    George Kurtz: Degree in Accounting. (no formal science, tech, engineering, or computer education of any kind... I can see he claims he can program but as far as I can tell, he's never actually worked a job involving programming or science of any kind.)
    The fact that this company pushed a driver rollout to hundreds of millions of people SIMULTANEOUSLY without checking it worked first tells you EVERYTHING you need to know about how this dude runs this company. If he had any actual knowledge of computer systems he wouldn't have allowed that to happen. And yet he did.
    When will the world wake up and start to realize that shit like this always happens when you put business people in charge of technology they don't comprehend. Now I'm not saying George Kurtz knows nothing about programming, its completely fair to be self-taught. But as far as I can tell he never did anything science-related at his job in any capacity, and his claim to fame is that he co-wrote a book about computer hacking with some actual computer scientists back in the 90s. Ever since then everyone has treated him as though he himself is a computer scientist, even though he's not actually. And after a #$#@ up this extraordinarily bad, it seems it was wrong to believe he knew what he's doing. There's NO WAY a mistake this bad could have happened without his express knowledge and instruction that this is how they operate.
    Stop trusting bean counters with important technology.

  • @AdderoYuu
    @AdderoYuu 4 месяца назад +17

    I don't understand why everyone is so caught up over this "kernel level driver" thing - this is not built for consumer PC's. EDR solutions REQUIRE kernel level access to even be effective at catching as much malicious software as possible - it gives you such an upper hand and allows you to check and scan EVERYTHING on the machine. For a consumer non-business user device, this is super undesirable and would not be a good solution - but for a business that requires intense security to protect their data? At least for the moment, there is no other way.
    Those saying that Windows is the only OS unsecure enough to need this and jabbing at windows... Yeah. Just Windows things. I mean it's not like Linux and MacOS are perfectly secure, but the general consensus is those OS's are more resilient to viruses than windows. (Though it's not a bad thing to point out, that most malware is written for windows, because of how ubiquitous it is in industry.)

    • @uzlonewolf
      @uzlonewolf 4 месяца назад

      No, they do not require kernel level access. In fact they are not allowed to have kernel access on Macs and even Linux is moving over to ePBF where a bad driver can't crash the system.

    • @dead-claudia
      @dead-claudia 4 месяца назад +2

      ⁠​⁠@@uzlonewolfkernel drivers are allowed in macs. and linux kernel drivers are limited in a number of ways.
      notably, a kernel module is needed to monitor syscalls for processes you didn't spawn. and seccomp filters don't let you count anything, only filter.

    • @AdderoYuu
      @AdderoYuu 4 месяца назад +1

      @@uzlonewolf Because of the way that Windows is built and the way that threats/malware currently operate, the only way you can hope to catch everything, at least right now with current technology, ideas, and software, is with kernel level access. Hopefully this changes, but as of right now it is what we have. I am only applying this to Windows however because, obviously, we've found alternate solutions for Mac and Linux and have not needed to do this.

  • @innervoicesrpg
    @innervoicesrpg 4 месяца назад +12

    Ooooh yeah I love the voice that tech influencers have when they weren't expecting to go recording and their humanness comes out more??? Like, idk what it is about it, it sounds like you just woke up (compliment)

    • @amagicmuffin1191
      @amagicmuffin1191 4 месяца назад

      ​@@NormCantoralthose weren't tech issues

    • @amagicmuffin1191
      @amagicmuffin1191 4 месяца назад +2

      @NormCantoral that makes sense, I just thought that interpretation was so unreasonable that it was more likely he just hasn't ever seen a software bug of this scale and severity that was caused by something so easily preventable. made sense to me bc he runs a tech channel.

  • @mageos98
    @mageos98 4 месяца назад +1

    I find a lot of the take in this video to be misguided. Modern anti-malware software works by monitoring application behavior in addition to traditional known signature matching. The only way to get the level of access to protect at the level is through kernel modules (aka drivers). The falcon scanner for linux also has a kernel module for this reason. While there are a number of vulnerabilities in Windows, it is also the most used desktop OS. Securing desktops is a lot harder than securing a server because you have a user who may or may not do stupid stuff that you worry less about than a server. There are multiple reports of crowdstrike falcon causing linux kernel panics...they just are not as wide spread as windows.

  • @AstralPhnx
    @AstralPhnx 4 месяца назад +9

    Do note Crowdstrike has a kmode driver for Linux as well. And that also broke RHEL recently... OOPS

    • @llamatronian101
      @llamatronian101 4 месяца назад +2

      Yup, this isn't just an accident. It's a pattern.

    • @piquat1
      @piquat1 4 месяца назад +1

      Wow, fortune 50 company I used to work for had all the users on windows, of course, the back end for the most critical things ran on RHEL. Wonder how they're doing now. lol

  • @Koraeffect
    @Koraeffect 4 месяца назад +2

    Oopsy daisy 😂 good thing I don’t have auto update. All the companies are responsible for this feature

  • @timothyvandyke9511
    @timothyvandyke9511 4 месяца назад +5

    I’m shocked how much windows there is in infrastructure

  • @TheOtherNEO
    @TheOtherNEO 4 месяца назад +6

    Friday morning at the office I was jokingly asked if I caused it. The day before in the company Town Hall I announced that I cancelled the CrowdStike contract and we have mostly removed Falcon from all devices. Only two left over machines had issues.

    • @Micloren
      @Micloren 4 месяца назад +1

      Curious, what was your reason for cancelling? Was it affecting productivity?

    • @TheOtherNEO
      @TheOtherNEO 4 месяца назад +1

      @@Micloren basic Falcon didn’t do much and got better data from the Checkpoint and Fortigate UTMs. Unless you shell out for the full SIEM, felt limited. Decided to up the network security instead and pay for a SOC/NOC service.

  • @samuelgunter
    @samuelgunter 4 месяца назад +39

    more like clown strike haha gottem

  • @gfixler
    @gfixler 4 месяца назад +1

    The amount of nonsense I haven't dealt with over two decades, since switching away from Windows to Linux in 2006. I was on most versions of Windows since 3.1 in 1991 (3.1, 3.11, 95, 2k, XP, NT, 7, 8, 10, the last three for work), and Linux has been like a breath of fresh air for 18 years. It's really nice to be able to actually control everything on my system.

  • @ItsEverythingElse
    @ItsEverythingElse 4 месяца назад +8

    Not sure what is scarier, that CrowdStroke released a bad version or that so many companies just blindly went with it without testing and staging it first.

    • @dead-claudia
      @dead-claudia 4 месяца назад +5

      this was supposed to be more like a config or signature update. this is like pushing a bad signature file to windows defender and causing it to crash.

    • @egria
      @egria 4 месяца назад +1

      Airlines, banks etc. without testing updates in isolated environments is absurd yet reality. And most systems if done properly don't even need antivirus because they suppose to be nit connected to public networks. So this would be some management's push to order that software. Important systemd should be setup in a way that assumes that something goes wrong that means having staging environment. This incident shows massive tech incompetence either by itself or with push if higher management wanting to reduce cost or just fall on lies of vendors of how great everything would be if company trust them blindly.

    • @peanut3438
      @peanut3438 4 месяца назад +1

      The update was automatic I think D:

  • @ProfessionalBirdWatcher
    @ProfessionalBirdWatcher 4 месяца назад +1

    My rage at everyone downplaying this for CrowdStrike is immeasurable. This is a billion dollar company, with a B, trusted by critical government, public, and private services and they shafted each and everyone. The lack of outrage from our authorities is absolutely disgusting. Speaks a lot to the state of cybersecurity and tech in general

  • @lcarsos
    @lcarsos 4 месяца назад +6

    Hah! That USB boot idea would be fine, if it weren't booting you into safe mode after unlocking your bitlocker. That's prime attack territory for planting a rootkit while "helping" you clean up that crowdstrike BSOD. You'd have to audit everything about how that USB key came to be and all the software on there, from extremely trustworthy sources.

  • @Joealbert83
    @Joealbert83 4 месяца назад

    At this moment there are probably hundreds of foreign agents planted at all levels in important companies. Imagine the damage that can/will be done when the time comes.

  • @philipsauers4987
    @philipsauers4987 4 месяца назад +6

    Southwest Airlines unaffected. Use older version of Windows. Brilliant. Latest/Greatest not always good.

    • @TruthSeeker-m3w
      @TruthSeeker-m3w 4 месяца назад +2

      Could also be that they simply not using Falcon...

  • @bojangles9060
    @bojangles9060 4 месяца назад +1

    The most detail explanation I’ve seen. Thank you! Great video.

  • @Winnetou17
    @Winnetou17 4 месяца назад +15

    While I hate Microsoft about as much as Apple nowadays, your take on Windows in this specific case is totally wrong and uncalled for. Only Windows was affected because only that update was affected. Windows doesn't have anything worse than Mac or Linux here. Also Mac and Linux could've been just as much affected. That whole section is very cringe.
    Edit: I mean the section starting at 3:35
    The rest of the video is a-ok

    • @Whoami-b5c
      @Whoami-b5c 4 месяца назад +6

      Yeah, this could’ve happen to any of the OSs especially in a corporate setting. That said, Apple actively discourages kernel extensions and have built alternatives in user mode.

    • @jonnyso1
      @jonnyso1 4 месяца назад +3

      In this particular case I *suspect* Linux would handle a faulty kernel module bettter, but I'm not sure. This is crowdstrikes fault for sure, but I wonder if the way Windows handles these kernel level drivers could be better though.

    • @fallingintime
      @fallingintime 4 месяца назад +1

      I believe cloud strike has uploaded a faulty module not a while a go there was a red hat incident posted for it. But I guess it was not as widespread.

    • @jonnyso1
      @jonnyso1 4 месяца назад +1

      ​@@fallingintime But was it as catastrophic as a unbootable BSOD ?
      Edit: Although it would probably be hard to compare unless it was at least a similar mistake.

    • @fallingintime
      @fallingintime 4 месяца назад +1

      @@jonnyso1 kernel panic that required a kernel fix I believe. Probably wasn't widespread as it only affected a specific kernel version and kernel updates are not ota

  • @mykeprior3436
    @mykeprior3436 4 месяца назад +1

    a null file? No it's a low level admin, it's flat out a cyberattack by a disgruntled employee or malicious actor with access. Or someone playing around and MASSIVELY fucking up.
    For you to zero a file is deliberate, any checksum bundling the update would've instantly failed.
    Anyone with hexedit can zero a file.

  • @silverknightgundam1196
    @silverknightgundam1196 4 месяца назад +4

    It's not Microsoft bug/error. it's a Crowdstrike bug/error

  • @alirobe
    @alirobe 4 месяца назад +2

    Crowdstrike on Linux had the exact same issues a few months ago.

  • @HumanAction76
    @HumanAction76 4 месяца назад +14

    CEOs can't apologise to that extent for legal reasons. That proposed comment would bankrupt the company.

    • @dead-claudia
      @dead-claudia 4 месяца назад +5

      yep, especially since they're publicly traded.
      privately owned companies can get away with more, but only bc there's a lot fewer people who could have standing to sue over that.

  • @DohTheOpinionator
    @DohTheOpinionator 4 месяца назад

    DUDE!!! I managed to use a combination of your gudance and a "shortcut" and I fixed my workstation. You're awesome!!!! My company doesn't allow access to the folder so I had to shortcut my email to my personal machine to get temp admin access. Other than that, followed the instructions, and viola, I'm in. Thanks.

  • @everbliss7955
    @everbliss7955 4 месяца назад +7

    3:34 - People always think hackers target Windows because it is insecure but that's actually not true. Microsoft Windows is the most used at 72.22%, followed by Apple's macOS at 14.73%, desktop Linux at 3.88%. Just by looking at this, one can easily deduce what operating system a sensible hacker would target if they wanted to create malware. So, its not that the other Operating Systems are secure but a matter of ROI. If you spend a month creating malware for windows you get 72% possible targets while on the other hand spending a month creating macOS malware will give you only 14.73% possible targets.

    • @Texas3Percenter
      @Texas3Percenter 4 месяца назад

      It's purposely written like swiss cheese, full of back doors and vulnerabilities so they and intelligence agencies can access your computer any time they want. Linux is not. So Linux users don't have to worry about viruses or malware and don't have to put middle-man software between them and their machines to protect them from their malware/spyware OS. The only thing I use on my Linux servers is a firewall and Fail2Ban to prevent brute force pwd cracking.

    • @nalstudio_official
      @nalstudio_official 4 месяца назад

      ​@@Texas3Percenter bruh you repeat this borderline insane conspiracy shit on every single comment

    • @Texas3Percenter
      @Texas3Percenter 3 месяца назад

      @@nalstudio_official You're just not knowledgeable of these things, bruh. Educate yourself before you go talking shit.

  • @fliporflop7119
    @fliporflop7119 4 месяца назад +1

    Basically, they over-complicated everything in the name of 'security' to the point of keeping themselves out. Bravo! 👏

  • @Lucius4992
    @Lucius4992 4 месяца назад +6

    Every time I hear about this it starts saying (pretty much every PC in the world was affected). I never heard about CrowdStrike before. Every person I know is unaffected and I didn't hear about any company or service affected where I live. Anyway, good luck guys.

    • @JoshuaRotimi
      @JoshuaRotimi 4 месяца назад +2

      Lol. So Annoying. His own PC was not even affected so I'm wondering how he came about "every PC in the world"

    • @craigalexander9421
      @craigalexander9421 4 месяца назад +2

      As soon as he said that I stopped listening.I wonder what else he is going to get wrong. So much misinformation going around.

    • @TalynOne
      @TalynOne 4 месяца назад +3

      Yep, this video is just full of misinformation.

    • @adedayoadedapo472
      @adedayoadedapo472 4 месяца назад +4

      I think it primarily affected enterprise clients, and that's what he should have led with. But I guess he couldn't resist a little Microsoft slander 😂😂

  • @shaunweinberg2463
    @shaunweinberg2463 4 месяца назад +2

    Somebody changed one life of code on a Friday afternoon, pushed the pipeline, and now we get this

  • @AppleAlumDotBlogSpot
    @AppleAlumDotBlogSpot 4 месяца назад +13

    @t3dotgg Your description of the Windows / Active Directory / BitLocker login process is inaccurate. The bitlocker key is not retrieved from AD or other remote DB when you auth, but rather from the device’s local TPM.

    • @uzlonewolf
      @uzlonewolf 4 месяца назад +5

      I believe he is talking about the recovery key, which *is* retrieved from AD or another DB.

  • @jeronimo196
    @jeronimo196 4 месяца назад +1

    Real men test in production.

  • @BryanK-y5y
    @BryanK-y5y 4 месяца назад +4

    I mean there's no way a company with that many skilled people rolls out a zero bytes file does anyone think this was deliberate? Theres more to this

  • @randomeman3
    @randomeman3 4 месяца назад +1

    At my workplace i responded to this i incident at 12:45 am, the local dispatch center had all the conputers down.
    I was not given approval by my higherups to run the fix until around 8 am that same day.
    Man did I sleep good Friday evening.

  • @mohamed1208
    @mohamed1208 4 месяца назад +25

    This had to happen during my vacation week

    • @vladfather916
      @vladfather916 4 месяца назад +2

      Lol

    • @Jimothy-723
      @Jimothy-723 4 месяца назад

      oof

    • @chaseywoot
      @chaseywoot 4 месяца назад

      This had to happen during my school's online subject selection

    • @Texas3Percenter
      @Texas3Percenter 4 месяца назад +2

      That sucks! I have to close on 2 real estate deals Monday. They won't happen til this is fixed. Thanks, banks, for using crowdstrike! If you were using Linux instead of Windows, you wouldn't need to.

    • @andrewreed1329
      @andrewreed1329 4 месяца назад

      suck it up lol

  • @tom_verlaine_again
    @tom_verlaine_again 4 месяца назад +1

    Great video! Really liked how you went about the topic in a calm, humble, but interesting way? Idk. Subscribed.

  • @DEEPMMA
    @DEEPMMA 4 месяца назад +3

    alot of hospital computers are down too which is very dangerous

  • @timseguine2
    @timseguine2 4 месяца назад +1

    I can't imagine the infrastructure that could let this happen. I have worked at a lot of companies, and even ones that haven't always had the best practices. But every single one of them had measures in place that would have caught this problem in at least 5 places before a customer got it.

  • @liningpan7601
    @liningpan7601 4 месяца назад +7

    The file full of zeros look suspicious. Could it be supply-chain attack?

    • @Wayoutthere
      @Wayoutthere 4 месяца назад

      CS biggest investors/owner...Blackrock

    • @andrewhooper7603
      @andrewhooper7603 4 месяца назад +1

      ​@@Wayoutthere blackrock hacked crowdstrike?

  • @TraciBradley-i8k
    @TraciBradley-i8k 4 месяца назад +2

    The problem is the monopoly crowdstike has on critical infrastructure

    • @nicejungle
      @nicejungle 4 месяца назад

      the problem is critical infrastructures shouldn't use an OS designed for gaming

  • @jaguarj1942
    @jaguarj1942 4 месяца назад +24

    The take on windows being the least secure OS is a bit biased. The real reason why most cyber attacks happen through windows is because 1. It is the most used OS by a huge margin. 2. Since it is so widely used, hackers focus on finding vulnerabilities in windows instead of other OS like Linux.

    • @Texas3Percenter
      @Texas3Percenter 4 месяца назад +5

      It's purposely written like swiss cheese, full of back doors and vulnerabilities so they and intelligence agencies and access you computer any time they want. Linux is not. So Linux users don't have to worry about viruses or malware and don't have to put middle-man software between them and their machines to protect them from their malware/spyware OS. The only thing I use on my Linux servers is a firewall and Fail2Ban to prevent brute force pwd cracking.

    • @insu_na
      @insu_na 4 месяца назад +1

      Complete fabrication. Linux is the most widely used OS. Get your facts straight

    • @AlexanderOsias
      @AlexanderOsias 4 месяца назад

      @@insu_nareally? How so? I thought it was windows.

    • @bambooindark1
      @bambooindark1 4 месяца назад +2

      @@insu_na In which context did you mean Linux is the most widely used OS?

    • @JustFacts42
      @JustFacts42 4 месяца назад

      @@Texas3Percenter Oh so your Linux box is insanely easy to get into. Interesting that you let us know this....

  • @Hurricayne92
    @Hurricayne92 4 месяца назад +2

    This being an accident is more terrifying that if it was done on purpose.

    • @michaelwills1926
      @michaelwills1926 4 месяца назад

      Maybe this was the canary test for that intent. Integration has teeth

  • @fatalglory777
    @fatalglory777 4 месяца назад +9

    Why does a badly written driver stop the machine from booting? Shouldn’t that driver just be skipped and whatever device it targets not work?
    Seems like a terrible design within Windows.

    • @DimkaTsv
      @DimkaTsv 4 месяца назад +6

      It is not Windows design issue.
      It is driver being written as kernel-mode, to gain extensive privileges over system in attempt to prevent malware activity. Meaning it becomes required to boot before even Windows takes over.
      And if it crashes, well, Windows hadn't booted yet. And it cannot exclude this driver from list as it is listed as mandatory. Loop repeats. And no revovery window appears because system crashes before it even reaches said state.
      Someone even said that CrowdStrike already did similar stuff to Linux systems at 19-th April.
      Linux and Macs versions of CrowdStrike are also using kernel mode drivers, albeit with some nuances (like there being restricted version for Linux). And similar case could've also caused bootloop (on Linux BSOD is more known as Kernel Panic).

    • @norbert.kiszka
      @norbert.kiszka 4 месяца назад +3

      @@DimkaTsv This is a Windows design issue. Try to load exact same file as a Linux module. It will not crash, but You will have a simple warning and that's it.

    • @paavobergmann4920
      @paavobergmann4920 3 месяца назад

      the prob is it had to be done as a driver to get kernel mode. MS tried to develop and license an interface that would allow that without having to load potentially sketchy kernel-mode drivers before boot, but then the EU stepped in and forbade it, because, they figured, it would give MS an unfair advantage on the market, if they were to choose who would get costly privileged kernel access. So you can blame the EU as well.
      Or you can blame Crowdstrike for knowing they are doing very, very sensitive stuff, but OTA-pushing a bad, untested update regardless.

  • @H4KnSL4K
    @H4KnSL4K 4 месяца назад +2

    @3:42 - Re: This only happens on Windows, because it's the only one that's insecure enough to have problems like this? I don't know about this .. if Linux or Mac had the most marketshare, such that a company like CrowdStrike ran its software in the kernel to prevent malware, and they pushed a bad update .. maybe the screen wouldn't be *blue*, but you'd have a kernel OOPS or a reboot or a kernel panic, etc. It's not because Windows is more inherently less secure. (Even though that might be the case) And it's just a pile of hacks on-top of each other? Dude, I think Windows has quality problems, but I think this statement is just too simple and immature. I've lost a lot of respect for you now.

  • @NillKitty
    @NillKitty 4 месяца назад +10

    You really lost me on this one theo. There isn't anything here that couldn't happen on Linux, in fact, it did -- about a month ago. It's not guarding your bootup and preventing you from booting in an unsafe environment, its just a broken kernel mode driver. I got bluescreened. You know what happened? Windows dumped it's ram, rebooted into last know good config, i shrugged, and moved on. I can't believe this overshadowed Trump being shot to the point i hadnt heard about the latter until an hour ago

    • @mwahlert
      @mwahlert 4 месяца назад +2

      Exactly! Ignorant people acting like this cant’t happen on Linux. EDR agents on Linux are just as deeply engrained, and highly privileged.

    • @NillKitty
      @NillKitty 4 месяца назад

      @@mwahlert "omg Windows"... No... Omg the market share! Bet you didn't know Windows ran in all *these* places :3.
      "Omg Windows needs this?" Up until 2019 CS didn't even have any offensive antimalware tech, it purely was marketed as a distributed, crowd sourced IDS for setting a baseline and then detecting anamolies (whether abnormal for your business, or just plain university unusual activity)
      "Omg a driver?" Yeah .. if you want network inspection (NDIS) or any kind of endpoint DLP, and unless you want your employees ripping it out, changing it's permissions, etc. As someone inconvenience by it daily since i run executables classified as "hacking tools", CS does an amazing job of preventing bad stuff from running, no matter who you are. First CS issue I've ever faced the wasn't as simple as requesting an exception for a given piece of software.

    • @sub-harmonik
      @sub-harmonik 4 месяца назад +4

      I mean this happened last night and trump got shot 6 days ago.. living under a rock sounds like a choice
      also windows is the hodgepodge of configurations and programs and apis he said it is. Everything is an inconsistent mess and it seems reasonable to think that would leave more security issues..

    • @deedos
      @deedos 4 месяца назад +2

      I wouldn't say this overshadowed the Trump shooting, that's just a reflection of the content you interact with, there's been tons of coverage over the last week regarding Trump

  • @timchorle
    @timchorle 4 месяца назад +1

    (IT) "ok sir we need to put your computer in safe mode..." (User) Hold on I don't think it will fit in there.. this thing is heavy!"

  • @ws_stelzi79
    @ws_stelzi79 4 месяца назад +3

    Yea, being locked out by a faulty update of a security thingy dodat!
    JUST one question: who will pay for all the hours of work for this faulty update? Are lawyers already drafting suits? 😦🤑

    • @felixyoghurt3291
      @felixyoghurt3291 4 месяца назад +1

      Every cloud strike has a silver lining 🤣

  • @Marenthyu
    @Marenthyu 4 месяца назад

    "Imagine trying to explain this to Carl in sales"
    No need to imagine when i have done that. Multiple times.
    Hello from IT Support!

  • @starupiva
    @starupiva 4 месяца назад +6

    I am a support partner for Microsoft. To resolve this issue, boot into safe mode or recovery environment and then go to the C:\Windows\System32\drivers\CrowdStrike directory and delete the “C-00000291*.sys.” file. Then restart the system in normal mode. That should fix the issue.

    • @malvoliosf
      @malvoliosf 4 месяца назад +12

      If you have an unencrypted drive...

    • @starupiva
      @starupiva 4 месяца назад

      @@malvoliosf even if you han encryption enabled, if you have the recovery key. The recovery key can be obtained from your Microsoft account. Enter it to get into the recovery console. Once you do that, get into safe mode and delete the crowdstrke.sys file.

    • @uzlonewolf
      @uzlonewolf 4 месяца назад +4

      @@malvoliosf There are now instructions on how to do it on encrypted drives without a known key as well.

    • @Micloren
      @Micloren 4 месяца назад +1

      Average person & a good chunk of IT people don’t know what safe mode is not how to navigate a command line.

    • @death_au
      @death_au 4 месяца назад +2

      It asks for uac, too. So still need IT to do it for me, even if I know how 🤷

  • @omaradrian80
    @omaradrian80 4 месяца назад

    Great video! It explained exactly what I did yesterday, I figured out to obtain my recovery key with my phone by using the url and then I could open a command line in safety mode and finally delete the file.
    The best video that I found so far about the issue

  • @marcelguinhos9022
    @marcelguinhos9022 4 месяца назад +5

    She wrote the tweet with ChatGPT. 😂