Crowdstrike Bug Shuts Down… Basically Everything

[Belk]

Everything is down in the greater Seattle area. First word early on is it was a hacker attack. I'm glad that's not the case.

The city itself is up, except for SPL.

 

[ThatRobGuy]

But it actually worked as programmed, didn't it?

Is this that meme of the guy pointing to his head and saying

"you can't get a virus,


if your computer won't boot up"


I'm sure someone probably has already made that one today...they had to have lol

 

[iluvatar5150]

Is this that meme of the guy pointing to his head and saying

"you can't get a virus,


if your computer won't boot up"


I'm sure someone probably has already made that one today...they had to have lol

yeah, I saw something to that effect on reddit this morning

 

[ThatRobGuy]

Anyway, as of 3:45 EST, our internal operations are back up and good to go, as are all of our clients except for 2 (their recovery has the extra wrinkle of them using BitLocker)

 

[essentialsaltes]

Note this has nothing to do with the difficulties Grindr has been having in Milwaukee. That's just the RNC.

 

[RDKirk]

Anyway, as of 3:45 EST, our internal operations are back up and good to go, as are all of our clients except for 2 (their recovery has the extra wrinkle of them using BitLocker)

Boooo on Bitlocker. It has its place, but not on my system. Bitlocker bricked one of my laptops...actually locked up the BIOS.

 

[Belk]

Boooo on Bitlocker. It has its place, but not on my system. Bitlocker bricked one of my laptops...actually locked up the BIOS.

How did drive encryption manage that? TPM issue?

 

[Laodicean60]

I don't even actually know what CrowdStrike is\does.

I don't either but I didn't realize how big Crowdstrike is, isn't it a fairly new company?

 

[RocksInMyHead]

I don't either but I didn't realize how big Crowdstrike is, isn't it a fairly new company?

They've been around since 2012, so not particularly new.

 

[Laodicean60]

They've been around since 2012, so not particularly new.

I guess time flies when you get old.

 

[RDKirk]

How did drive encryption manage that? TPM issue?

Yes.

 

[RDKirk]

They've been around since 2012, so not particularly new.

I remember 2012 like it was yesterday.

 

[ozso]

I guess time flies when you get old.

Like a bat out of the RNC.

 

[iluvatar5150]

Like a bat out of the RNC.

Can you teach some of our old bats how to do that? Please?

 

[ThatRobGuy]

I don't either but I didn't realize how big Crowdstrike is, isn't it a fairly new company?

They've been around for over a decade at this point...but yes, their global footprint is pretty massive (as we all witnessed yesterday, by hospital systems, airlines, and banking institutions all over the world getting negatively impacted)

 

[pgp_protector]

Thankfully our company doesn't use CrowdStrike
But there were at least 3 failures on this
1) The Developer with the bad patch (happens to all of us)
2) The Reviewer who approved the Merge Request into master (They are doing software reviews before releasing right? )
3) QA who released the patch.

 

[RDKirk]

Thankfully our company doesn't use CrowdStrike
But there were at least 3 failures on this
1) The Developer with the bad patch (happens to all of us)
2) The Reviewer who approved the Merge Request into master (They are doing software reviews before releasing right? )
3) QA who released the patch.

I don't think any of those were the problem, as I understand it. The software did precisely what it was designed to do: It discovered a vulnerability or change in Microsoft's kernel, was unable to fix it, so it shut the system down as designed.

The problem was that it was Microsoft's own change to their kernel that the software didn't know about.

Back when I owned a farm of 60 test servers and 50 production for a Fortune 50 company, it was my job on "Microsoft Tuesday" to run the Microsoft updates on my test servers (they ran various different production applications) to make sure the Microsoft update didn't break any of the company applications or server functions. The company policy was that every Microsoft update would be applied by that next Tuesday, so my response could never be "don't run the update," my response had be, "Hey, devs, these are the applications this update will break...I hope you've got plenty of Mountain Dew!"

Well, that applied to me, too, because whatever patches the devs developed, I still needed to test them in my test farm against the Microsoft update and then apply in "prod" before that next Tuesday.

 

[Belk]

I don't think any of those were the problem, as I understand it. The software did precisely what it was designed to do: It discovered a vulnerability or change in Microsoft's kernel, was unable to fix it, so it shut the system down as designed.

The problem was that it was Microsoft's own change to their kernel that the software didn't know about.

Back when I owned a farm of 60 test servers and 50 production for a Fortune 50 company, it was my job on "Microsoft Tuesday" to run the Microsoft updates on my test servers (they ran various different production applications) to make sure the Microsoft update didn't break any of the company applications or server functions. The company policy was that every Microsoft update would be applied by that next Tuesday, so my response could never be "don't run the update," my response had be, "Hey, devs, these are the applications this update will break...I hope you've got plenty of Mountain Dew!"

Well, that applied to me, too, because whatever patches the devs developed, I still needed to test them in my test farm against the Microsoft update and then apply in "prod" before that next Tuesday.

We appreciate you guys being the guinea pigs. We started delaying our QA for a week after patch Tuesday to see if everyone else ran into issues.

 

[RDKirk]

Here is an easily understood (and probably 99% correct) overview of what happened.

So, it looks like Cloudstrike Falcon got adminstrative permission from Microsoft to operate within the sacrosanct Microsoft kernel, but then gave itself permission to breach Microsoft's protection of the kernel to do a lot more in the kernel than Microsoft intended anything should do. I think that makes Cloudstrike Falcon a Trojan Horse by perfect definition.