veeesix@lemmy.ca
on 24 Jul 2024 17:14
nextcollapse
So one banana.
deranger@sh.itjust.works
on 24 Jul 2024 17:20
nextcollapse
$10 to Uber eats, so basically it’s covering fees only.
dinckelman@lemmy.world
on 24 Jul 2024 18:32
collapse
Not only that, but usually to activate these cards, you have to spend upwards of double what the card is worth too, and the fees cannot be included in the total
verity_kindle@sh.itjust.works
on 24 Jul 2024 23:03
collapse
Like amzn, they make sure you get minimum joy, even from a gift, because you’re going to spend a chunk of mom’s gift card balance on shipping. The “shipping included on sub total of X amount” is going to be cancelled by online retailers within a year, I’m calling it now. Are we sure that cheapstrike and amzn aren’t run by the same AI, one that self awareness drove mad?
subignition@fedia.io
on 24 Jul 2024 17:24
nextcollapse
I can't believe this isn't satire. I hope these incompetent fuckers get sued into bankruptcy
sanpo@sopuli.xyz
on 24 Jul 2024 17:44
nextcollapse
I’m still not sure. It’s hard to believe anyone at their company would OK this idea.
Are they actually trying to deliberately kill their brand?
iAmTheTot@sh.itjust.works
on 24 Jul 2024 18:14
nextcollapse
You haven’t heard? Satire is well and truly dead.
David_Eight@lemmy.world
on 24 Jul 2024 18:43
nextcollapse
There’s definitely some clause with the $10 gift card that says you can’t sue them if you actually take one lol.
You joke but I read they may get out of this without issue due to a TOS entry about them not being responsible. They’ll still get dragged from shareholders and the government, but only a handful of large companies may be able to recoup some of those damages from the company itself.
It’s like the Sackler’s and the opioid epidemic from a different industry!
MataVatnik@lemmy.world
on 24 Jul 2024 19:42
collapse
I straight up thought it was satire. How can you be so fucking detached. Basically caused the biggest information infrastructure disruption in human history, probably billions in losses, and then be like “my bad lol here’s a giftcard”.
ace_garp@lemmy.world
on 24 Jul 2024 20:40
nextcollapse
“Two feet on the gas” - Official Crowdstrike motto.
not /s
TrickDacy@lemmy.world
on 24 Jul 2024 20:58
nextcollapse
I cackled loudly. $10 won’t even buy a meal at McDonald’s most places.
CileTheSane@lemmy.ca
on 24 Jul 2024 22:13
nextcollapse
I bet the Onion had an article about Crowdstrike offering the world a pizza party and expired Bed Bath & Beyond coupons to say they’re sorry. Real life might be quicker than satire, it seems!
Basically caused the biggest information infrastructure disruption in human history
Do we have any solid data on that yet? I have my doubts that this caused more damage than WannaCry did a few years ago, especially since it’s reversible without the need of a backup
MataVatnik@lemmy.world
on 25 Jul 2024 10:50
collapse
Brother, or sister, I know fuck all about information technology. You make a good point and definitely know way more about this than i do. But I will say this, I don’t think wannacry disrupted millions of peoples travel plans all at once. so maybe less damage, but I think it was Hella more disruptive to the general population .
thorbot@lemmy.world
on 24 Jul 2024 17:25
nextcollapse
pelespirit@sh.itjust.works
on 24 Jul 2024 17:50
nextcollapse
Holy shit, they also cancelled it. Lmao
On Wednesday, some of the people who posted about the gift card said that when they went to redeem the offer, they got an error message saying the voucher had been canceled. When TechCrunch checked the voucher, the Uber Eats page provided an error message that said the gift card “has been canceled by the issuing party and is no longer valid.”
rand_alpha19@moist.catsweat.com
on 24 Jul 2024 18:11
nextcollapse
Gotta love some shit icing on the shit cake.
TheReturnOfPEB@reddthat.com
on 24 Jul 2024 21:10
collapse
The gift card is also cursed.
CileTheSane@lemmy.ca
on 24 Jul 2024 22:13
nextcollapse
JoMiran@lemmy.ml
on 24 Jul 2024 17:53
nextcollapse
I expect these clowns to lose most of their market share within two years and get sued to oblivion.
My firm bills by the hour and so far I think we are at 10+ billing hours per consultant wasting time with client tech support trying to get back on our VDIs. Nevermind how much time is being wasted doing the work through work arounds. My guess is that our firm alone will bill for about $100,000 extra this month while having accomplished less than normal. I am sure Crowdstrike’s gift card will fix it though.
delirious_owl@discuss.online
on 24 Jul 2024 20:45
collapse
They’re backed by the US government. They have a backdoor into most endpoints on many international corporate computers. And CS is behodent to US laws for NSLs.
This is an incredible asset to the US intelligence community. They won’t let CS go out of business.
Mango@lemmy.world
on 24 Jul 2024 17:55
nextcollapse
Bruh
themoonisacheese@sh.itjust.works
on 24 Jul 2024 17:55
nextcollapse
This is a classic move to not get sued, exactly like airlines do. If you try to sue them after redeeming the gift card, they can argue that you’ve been made whole, and do 'ot 'eed additional compensation.
MeetInPotatoes@lemmy.ml
on 25 Jul 2024 03:28
collapse
Your ‘n’ key has been sleeping with the apostrophe.
Rolando@lemmy.world
on 24 Jul 2024 17:56
nextcollapse
Not nearly enough. CrowdStrike should give a pizza party.
CatZoomies@lemmy.world
on 24 Jul 2024 18:09
nextcollapse
I see you’re channeling the powers of middle management.
Only needs a sticker that says “You’re a rock star!”
ironhydroxide@sh.itjust.works
on 24 Jul 2024 18:21
collapse
Not to mention mugs with crowdstrike branding on them, but only for 1/3 the invited people.
acosmichippo@lemmy.world
on 24 Jul 2024 22:49
collapse
hold your horses, we can still use the melon party and waffle party first. no need to jump straight to pizza.
some_guy@lemmy.sdf.org
on 24 Jul 2024 18:05
nextcollapse
Only redeemable for CrowdStrike credits and only at participating locations.*
* No locations are participating at this time.
Ghyste@sh.itjust.works
on 24 Jul 2024 18:11
nextcollapse
On Wednesday, some of the people who posted about the gift card said that when they went to redeem the offer, they got an error message saying the voucher had been canceled. When TechCrunch checked the voucher, the Uber Eats page provided an error message that said the gift card “has been canceled by the issuing party and is no longer valid.”
Voucher was for PR, not for peasants to use it lol
over_clox@lemmy.world
on 24 Jul 2024 18:43
nextcollapse
All they gotta do is change their company name to avoid lawsuits. Anyone got any ideas for a new name for them?.. 🤔
ClusterFuck comes to mind…
ICastFist@programming.dev
on 24 Jul 2024 19:57
nextcollapse
ComputersOnStrike could work, I’d say
verity_kindle@sh.itjust.works
on 24 Jul 2024 23:04
collapse
CardStrike?
MehBlah@lemmy.world
on 24 Jul 2024 19:11
nextcollapse
Here is nothing but we are really, really, south park sorry.
Macaroni_ninja@lemmy.world
on 24 Jul 2024 19:16
nextcollapse
In total?
digdilem@lemmy.ml
on 24 Jul 2024 20:35
nextcollapse
I lost a day’s holiday, and our team spent 8 man days on this entirely preventable mistake.
$10? Try extending our licence by another year for free, that might start going towards it.
MrMcGasion@lemmy.world
on 25 Jul 2024 03:15
collapse
Why would you want another year of their software for free? This is their second screw up (apparently they sent out a bad update that affected some Debian and RHEL machines a couple years ago). I’d be transitioning to a competitor at the first opportunity. It seems they aren’t testing releases before pushing them out to customers, which is about as crazy to me as running alpha software on a production system.
I’m sure you have reasons, and this isn’t really meant to be directed at you personally, it’s just boggling to me that the IT sector as a whole hasn’t looked at this situation and collectively said “fuck that.”
scrubbles@poptalk.scrubbles.tech
on 25 Jul 2024 05:55
nextcollapse
Nah, I don’t buy that. When you’re in critical infrastructure like that it’s your job to anticipate things like people being above or below versions. This isn’t the latest version of flappy bird, this is kernel level code that needs to be space station level accurate, that they’re pushing remotely to massive amounts of critical infrastructure.
I won’t say this was one guy, and I definitely don’t think it was malicious. This is just standard corporate software engineering, where deadlines are pushed to the max and QA is seen as an expense, not an investment. They’re learning the harsh realities of cutting QA processes right now, and I say good. There is zero reason a bit of this magnitude should have gone out. I mean, it was an empty file of zeroes. How did they not have any pipelines to check that file, code in the kernel itself to validate the file, or anyone put eyes on the file before pushing it.
This is a massive company wide fuckup they had, and it’s going to end up with them reporting to Congress and many, many courts on what happened.
Not just Crowdstrike - any vendor that does automatic updates, which is more and more each day. Microsoft too big for a bad actor to do as you describe? Nope. Anything relying on free software? Supply chain vulnerabilities are huge and well documented - its only a matter of time.
Why would you want another year of their software for free?
Because AV, like everything else, costs a fortune at enterprise scale.
And yeah, I do understand your real point, but it’s really hard to choose good software. Every purchasing decision is a gamble and pretty much every time you choose something it’ll go bad sooner or later. (We didn’t imagine Vmware would turn into an extortion racket, for example. And we were only saying a few months ago how good value and reliable PRTG was, and they’ve just quadrupled their costs)
It doesn’t matter how much due diligence and testing you put into software, it’s really hard to choose good stuff. Crowdstrike was the choice a year ago (the Linux thing was more recent than that), and its detection methods remain world class. Do we trust it? Hell no, but if we change to something else, there are risks and costs to that too.
ayyy@sh.itjust.works
on 25 Jul 2024 06:41
nextcollapse
Maybe AV, at an enterprise scale, is actually a horrible idea that reduces security, availability, and reliability and should be abolished through policy.
BrightCandle@lemmy.world
on 25 Jul 2024 02:24
nextcollapse
They are going to get sued for billions and this little stunt isn’t going to change that. Should have implemented proper software testing before you took ever corporate computer in the world, but companies like this always force their developers to rush instead of do the right thing and when it bites them expect that things will carry on as normal. I can’t see many renewals in their future.
skuzz@discuss.tchncs.de
on 25 Jul 2024 05:42
collapse
Not even that. Kernel drivers are supposed to be Microsoft WHQL certified through a thorough testing process (that would have caught it in 3 minutes) before Microsoft will cryptographically sign them.
…but apparently Microsoft allows AV vendors to skip WHQL certification testing.
flambonkscious@sh.itjust.works
on 25 Jul 2024 06:30
collapse
…sorta. The complexity here is their driver is signed, but it’s also loading code from their channel file (that was all zeroed out), and it seems the necessary error checking wasn’t implemented.
I haven’t yet got to the root cause they published, this is just what I gathered from the video of a retired MS kernel dev who posts stuff.
Obviously with their design it allowed them to be flexible at the cost of playing with fire - I’m impressed they got away with it for so long, really
skuzz@discuss.tchncs.de
on 25 Jul 2024 23:33
collapse
Thank you for the clarification. WHQL is such a pain to set up, I’m sure the AV vendors whined, “but, security! Do we have to test everything every time? That would slow an urgent 0day release!”
flambonkscious@sh.itjust.works
on 26 Jul 2024 20:57
collapse
Yeah, there’s some limits to what they could do while maintaining pace for the 0 day stuff…
Some input validations would be the most basic things they should have done years ago. I’m aware of the hashing mature vendors do of any content they download for updates or deployments. Signature checking as well, and that’s before the code is even inspected - why don’t they include their automated tests they obviously aren’t using in the update as a sanity check client-side? (I’m not aware of anyone doing this or even if it’s possible without the rest of the IDE, stack, I’m no dev)
MeetInPotatoes@lemmy.ml
on 25 Jul 2024 03:24
nextcollapse
“All of CrowdStrike understands the gravity and impact of the situation”
What is interesting is the comment made in the video on how chromebooks do software upgrades with dual “OS” disk-partitions and the ability to rollback to the previous OS-partition.
Question: is something like this also possible on one of the major linux distros? (debian, ubuntu, rocky, …)
What would be the procedure to do this kind of “dual partition” system-upgrade?
(*) a great video that explained some of the technical details in a very clear way, including some very interesting ‘lessons learned’ and "what if"s
If you ever need to explain crowdstrike to your manager, this video is a good start.
Unmapped@lemmy.ml
on 25 Jul 2024 07:18
nextcollapse
If I’m understanding the question right. This is what Immutable Linux distros do. Such as Nixos, fedora silver blue, and vanilla os.
I use nixos myself. But its quite different then most distros. The way you config it and install packages. For the better in my opinion.
Something like silverblue works pretty much the same as normal Fedora except you can’t install packages like you normally would. Because the system files can’t be edited. You mostly use flatpak for everything. Except the system updates. Which you have to reboot to switch to the new updated image. But past images are saved so you can rollback if needed.
From what I understand Chromebook os is a Immutable Linux distro same as the ones I mentioned. Just with Google with built in.
kristoff@infosec.pub
on 25 Jul 2024 07:29
collapse
Yes, that was indeed the question.
If I read it correct, you need a specialised distro for this. You cannot do this on a off-the-shelf Debian or Ubuntu?
I’ll do some searching on ‘unmutable Linux’. Thanks for the (very quick) answer! 😀
Unmapped@lemmy.ml
on 25 Jul 2024 07:32
nextcollapse
There is a file system you can use. A alternative to ext4. I think its Btrfs. I never tried it. But it let’s you take snapshots that you can restore to. That’s not just system files but everything. And pretty sure you can use it with a disto like arch and Debian. I think that’s how snapshots work. But as I said I never actually tried it out.
kristoff@infosec.pub
on 25 Jul 2024 20:53
collapse
just watched some videos on btrfs.
Looks interesting indeed. I will look into it and perhaps do a test-installation and see how it goes.
I think the answers given here don’t quite fit the question.
Android and Windows have dedicated recovery partitions sectioned off on the disk that the OS never boots to and does not interact with during normal system operation.
If something goes wrong with the OS, then a signal is sent to the BIOS or other non-OS system to “hey, recover from this partition”.
Btrfs, NixOS, Guix, and other immutable (file-)systems, implement this via having a file system hierarchy protected by various permissions and softlinks to create a checkpoint of sorts, which is managed by a dedicated service that runs with the OS during normal system operation.
The drawback of these systems is that if something does go wrong with the OS, it cannot fallback to the BIOS to save it. The OS has to somehow signal to itself that it needs to restore from an earlier checkpoint.
kristoff@infosec.pub
on 25 Jul 2024 21:07
collapse
Just watched some videos on btrfs. I start to understand the conceps.
Perhaps I should also look into how exactly
On windows and the “recovery partion”. I guess what you say is that it should always be possiblity to boot in some kind of system, but it will not happen automatically as there is no way for a system to detect that the system completely hangs.
Thinking about it. It kind of strange.
Embedded systems have watchdog interrupts that get fired if the system hangs (i.e. if it does not provide a “yes, I still live” signal every “x” milliseconds).
Does a PC not have something similar?
embedded systems have the advantage of all using a single bootloader: Uboot, so the error path is always known and the software knows how to fallback.
With x86_64 systems it’s a mixed bag, and maybe the windows and linux bootloader knows what to do, but in most cases it will just signal an error and stop
lproven@social.vivaldi.net
on 25 Jul 2024 21:11
collapse
@kristoff@purplemonkeymad Try openSUSE (RPM family), Garuda Linux (Arch family), or Spiral Linux (Debian stable) or siduction (Debian testing). All have snapper and on Btrfs do snapshots and rollback.
lproven@social.vivaldi.net
on 25 Jul 2024 21:13
collapse
@kristoff@purplemonkeymad But watch out: you will need a *huge* root partition, because it's very easy to fill it with snapshots and if it reaches 100% it *will* corrupt.
Btrfs is tricksy: it won't give a straight answer to `df -h` and there is no working equivalent of `fsck`.
lproven@social.vivaldi.net
on 25 Jul 2024 21:16
collapse
@kristoff@purplemonkeymad All of these are in-place same-disk snapshots. The ChomeOS system is simpler and so can be automated but you only get 1 level of undo.
I don't know any mainstream OS that does dual-failover. Deepin Linux has 2 root partitions but I don't know how it uses them.
I think Valve SteamOS does something like this. It's not just for games: it has KDE built in. There are guides to getting it running on your own hardware. You will want AMD graphics, though.
kristoff@infosec.pub
on 26 Jul 2024 05:52
collapse
As I mentioned earlier, I guess chrome is more like android where you have a much more strict seperation between the OS, applications and user data.
(I remember reading about all the different partitions on android and what they are used for, but I should bruch up my knowledge on this).
Thanks for the additional into on brtfs! 👍
lproven@social.vivaldi.net
on 26 Jul 2024 07:54
collapse
@kristoff Not really... On ChromeOS, there are no apps.
kristoff@infosec.pub
on 26 Jul 2024 08:09
collapse
No apps at all ???
So it really is like a dumb terminal. Now I know why I never used a Chromebook😀
Which is the amount you’d get in the class action suit that they’re trying to prevent.
NigelFrobisher@aussie.zone
on 25 Jul 2024 03:45
nextcollapse
I thought this was going to be The Onion.
kristoff@infosec.pub
on 25 Jul 2024 06:45
nextcollapse
This is a typical mail a phishing campaign would send out, and we have already said to people "never believe this kind of messages. They are all fake.
Now, if a genuine company sends out mails with a genuine gift-cards (what the article on techcrunch seems to indicate) … this is NOT helpfull at all!!!
And that comming from a cybersecurity company (rolling-eyes)
ChaoticNeutralCzech@lemmy.ml
on 25 Jul 2024 20:12
collapse
Buy a $10 Xbox gift card and send us the code so that we can activate it. Then you get back to the shop and get $20 in cash - $10 for returning the card and $10 from us. We’ll pay the tax, too.
kristoff@infosec.pub
on 26 Jul 2024 05:56
collapse
Sounds like a money laundering sceme!
ChaoticNeutralCzech@lemmy.ml
on 28 Jul 2024 07:38
collapse
No. They will just use the $10 card and leave. They will prey on the fact that “get a gift card for your computer troubles” is something a legitimate company has done.
KomfortablesKissen@discuss.tchncs.de
on 25 Jul 2024 07:18
nextcollapse
This would be even funnier if there was exactly one $10 gift card everyone has to fight over.
SkaveRat@discuss.tchncs.de
on 25 Jul 2024 07:44
nextcollapse
After the lawsuits, it might be all they can afford
twei@discuss.tchncs.de
on 26 Jul 2024 09:41
collapse
The codes are as available as a system with the Falcon sensor
A_Porcupine@lemmy.world
on 25 Jul 2024 07:27
nextcollapse
This is very misleading!
CrowdStrike did not send gift cards to customers or clients. We did send these to our teammates and partners who have been helping customers through this situation. Uber flagged it as fraud because of high usage rates.
SkaveRat@discuss.tchncs.de
on 25 Jul 2024 08:17
nextcollapse
I mean, it makes it a little better, but I’d still be annoyed by it just being 10 bucks.
They might as well not do it. I’d be more insulted than a boss throwing a pizza party
A_Porcupine@lemmy.world
on 25 Jul 2024 08:34
nextcollapse
Oh yeah for sure, I wonder if the thinking was “we’re about to lose a bunch of money, maybe limit it a little” 😂
zalgotext@sh.itjust.works
on 25 Jul 2024 21:19
collapse
Seriously, ten bucks won’t even cover delivery costs and fees for most things on Uber Eats. It’s almost worse than nothing, because with the gift card you’re obligated to give even more money to Uber Eats
kristoff@infosec.pub
on 25 Jul 2024 10:42
nextcollapse
OK. That makes a lot more sense.
Thank you for correcting the original post. 👍
papertowels@lemmy.one
on 25 Jul 2024 16:22
collapse
Nice gesture I guess, but kinda just the modern day pizza party
JokeDeity@lemm.ee
on 25 Jul 2024 11:21
nextcollapse
threaded - newest
Give them some time. They have to manually reboot the gift card servers.
<img alt="" src="https://lemmy.sdf.org/pictrs/image/0d5be367-b15f-4eaa-84d1-cb223b65e762.png">
Hey, it’s my namesake!
Oh Captain Haddock we love you
So one banana.
$10 to Uber eats, so basically it’s covering fees only.
Not only that, but usually to activate these cards, you have to spend upwards of double what the card is worth too, and the fees cannot be included in the total
Like amzn, they make sure you get minimum joy, even from a gift, because you’re going to spend a chunk of mom’s gift card balance on shipping. The “shipping included on sub total of X amount” is going to be cancelled by online retailers within a year, I’m calling it now. Are we sure that cheapstrike and amzn aren’t run by the same AI, one that self awareness drove mad?
I can't believe this isn't satire. I hope these incompetent fuckers get sued into bankruptcy
I’m still not sure. It’s hard to believe anyone at their company would OK this idea.
Are they actually trying to deliberately kill their brand?
You haven’t heard? Satire is well and truly dead.
There’s definitely some clause with the $10 gift card that says you can’t sue them if you actually take one lol.
You joke but I read they may get out of this without issue due to a TOS entry about them not being responsible. They’ll still get dragged from shareholders and the government, but only a handful of large companies may be able to recoup some of those damages from the company itself.
It’s like the Sackler’s and the opioid epidemic from a different industry!
I straight up thought it was satire. How can you be so fucking detached. Basically caused the biggest information infrastructure disruption in human history, probably billions in losses, and then be like “my bad lol here’s a giftcard”.
“Two feet on the gas” - Official Crowdstrike motto.
not /s
I cackled loudly. $10 won’t even buy a meal at McDonald’s most places.
My first reaction was to look for the onion
I bet the Onion had an article about Crowdstrike offering the world a pizza party and expired Bed Bath & Beyond coupons to say they’re sorry. Real life might be quicker than satire, it seems!
Do we have any solid data on that yet? I have my doubts that this caused more damage than WannaCry did a few years ago, especially since it’s reversible without the need of a backup
Brother, or sister, I know fuck all about information technology. You make a good point and definitely know way more about this than i do. But I will say this, I don’t think wannacry disrupted millions of peoples travel plans all at once. so maybe less damage, but I think it was Hella more disruptive to the general population .
<img alt="" src="https://lemmy.world/pictrs/image/03247d2d-f3cd-4bf3-b766-d79711f5c6a3.jpeg">
hahahahha spot on
Nice to see I wasn’t the only one who saw it that way.
!nottheonion@lemmy.ml
One of the rare cases where no gift would have been better
especially since the gift card provided doesn’t work. “here’s a 10 dollar giftcard for our screw up…also it doesn’t work…go fuck yourself”
<img alt="" src="https://lemmy.ml/pictrs/image/b1b26784-f7f4-4305-974b-6869f83325fc.jpeg">
Holy shit, they also cancelled it. Lmao
Gotta love some shit icing on the shit cake.
The gift card is also cursed.
That’s bad
But it comes with a free froyo!
That’s good!
The Froyo contains sodium benzoate.
<img alt="Image" src="https://i.pinimg.com/originals/8c/34/77/8c3477fa4447a03960101c7d0410bd88.gif">
… that’s bad.
The gift card caused Uber servers to BSOD
I expect these clowns to lose most of their market share within two years and get sued to oblivion.
My firm bills by the hour and so far I think we are at 10+ billing hours per consultant wasting time with client tech support trying to get back on our VDIs. Nevermind how much time is being wasted doing the work through work arounds. My guess is that our firm alone will bill for about $100,000 extra this month while having accomplished less than normal. I am sure Crowdstrike’s gift card will fix it though.
Fine. You want two?! Will that be enough??
They’re backed by the US government. They have a backdoor into most endpoints on many international corporate computers. And CS is behodent to US laws for NSLs.
This is an incredible asset to the US intelligence community. They won’t let CS go out of business.
Bruh
This is a classic move to not get sued, exactly like airlines do. If you try to sue them after redeeming the gift card, they can argue that you’ve been made whole, and do 'ot 'eed additional compensation.
Your ‘n’ key has been sleeping with the apostrophe.
Not nearly enough. CrowdStrike should give a pizza party.
I see you’re channeling the powers of middle management.
Only needs a sticker that says “You’re a rock star!”
We are family here
Outside, the sign says “Heros Work Here”. Inside, two people do the work of four.
Above the entrance: "Labour will set you free"
Not to mention mugs with crowdstrike branding on them, but only for 1/3 the invited people.
hold your horses, we can still use the melon party and waffle party first. no need to jump straight to pizza.
Only redeemable for CrowdStrike credits and only at participating locations.*
* No locations are participating at this time.
You can’t write comedy this good…
Classic corporate behaviour tho
Voucher was for PR, not for peasants to use it lol
All they gotta do is change their company name to avoid lawsuits. Anyone got any ideas for a new name for them?.. 🤔
ClusterFuck comes to mind…
ComputersOnStrike could work, I’d say
CardStrike?
Here is nothing but we are really, really, south park sorry.
In total?
I lost a day’s holiday, and our team spent 8 man days on this entirely preventable mistake.
$10? Try extending our licence by another year for free, that might start going towards it.
Why would you want another year of their software for free? This is their second screw up (apparently they sent out a bad update that affected some Debian and RHEL machines a couple years ago). I’d be transitioning to a competitor at the first opportunity. It seems they aren’t testing releases before pushing them out to customers, which is about as crazy to me as running alpha software on a production system.
I’m sure you have reasons, and this isn’t really meant to be directed at you personally, it’s just boggling to me that the IT sector as a whole hasn’t looked at this situation and collectively said “fuck that.”
.
Nah, I don’t buy that. When you’re in critical infrastructure like that it’s your job to anticipate things like people being above or below versions. This isn’t the latest version of flappy bird, this is kernel level code that needs to be space station level accurate, that they’re pushing remotely to massive amounts of critical infrastructure.
I won’t say this was one guy, and I definitely don’t think it was malicious. This is just standard corporate software engineering, where deadlines are pushed to the max and QA is seen as an expense, not an investment. They’re learning the harsh realities of cutting QA processes right now, and I say good. There is zero reason a bit of this magnitude should have gone out. I mean, it was an empty file of zeroes. How did they not have any pipelines to check that file, code in the kernel itself to validate the file, or anyone put eyes on the file before pushing it.
This is a massive company wide fuckup they had, and it’s going to end up with them reporting to Congress and many, many courts on what happened.
Even an AI is good enough to avoid (or let someone avoid) pushing a similar bug 🫣
.
Not just Crowdstrike - any vendor that does automatic updates, which is more and more each day. Microsoft too big for a bad actor to do as you describe? Nope. Anything relying on free software? Supply chain vulnerabilities are huge and well documented - its only a matter of time.
.
Because AV, like everything else, costs a fortune at enterprise scale.
And yeah, I do understand your real point, but it’s really hard to choose good software. Every purchasing decision is a gamble and pretty much every time you choose something it’ll go bad sooner or later. (We didn’t imagine Vmware would turn into an extortion racket, for example. And we were only saying a few months ago how good value and reliable PRTG was, and they’ve just quadrupled their costs)
It doesn’t matter how much due diligence and testing you put into software, it’s really hard to choose good stuff. Crowdstrike was the choice a year ago (the Linux thing was more recent than that), and its detection methods remain world class. Do we trust it? Hell no, but if we change to something else, there are risks and costs to that too.
Maybe AV, at an enterprise scale, is actually a horrible idea that reduces security, availability, and reliability and should be abolished through policy.
Maybe, but it’s not going to happen soon. Any malware type insurance requires effective AV on all devices, and C-levels do love their insurance.
Unfortunate reality for lot for medium to big size businesses.
A $10 Ubereats gift card will barely cover fees and taxes, let alone the actual item. What a clown ass gesture.
My brother in law was stranded across the country for two days. $10 probably covers it lol.
m.youtube.com/watch?v=15HTd4Um1m4
Satire is well & truly dead.
I thought it had to be a joke article from the title. Yeesh wouldn’t want to be the person who gets the fallout from this idea.
Insult upon injury
They are going to get sued for billions and this little stunt isn’t going to change that. Should have implemented proper software testing before you took ever corporate computer in the world, but companies like this always force their developers to rush instead of do the right thing and when it bites them expect that things will carry on as normal. I can’t see many renewals in their future.
Not even that. Kernel drivers are supposed to be Microsoft WHQL certified through a thorough testing process (that would have caught it in 3 minutes) before Microsoft will cryptographically sign them.
…but apparently Microsoft allows AV vendors to skip WHQL certification testing.
…sorta. The complexity here is their driver is signed, but it’s also loading code from their channel file (that was all zeroed out), and it seems the necessary error checking wasn’t implemented.
I haven’t yet got to the root cause they published, this is just what I gathered from the video of a retired MS kernel dev who posts stuff.
Obviously with their design it allowed them to be flexible at the cost of playing with fire - I’m impressed they got away with it for so long, really
Thank you for the clarification. WHQL is such a pain to set up, I’m sure the AV vendors whined, “but, security! Do we have to test everything every time? That would slow an urgent 0day release!”
Yeah, there’s some limits to what they could do while maintaining pace for the 0 day stuff…
Some input validations would be the most basic things they should have done years ago. I’m aware of the hashing mature vendors do of any content they download for updates or deployments. Signature checking as well, and that’s before the code is even inspected - why don’t they include their automated tests they obviously aren’t using in the update as a sanity check client-side? (I’m not aware of anyone doing this or even if it’s possible without the rest of the IDE, stack, I’m no dev)
“All of CrowdStrike understands the gravity and impact of the situation”
Here’s $10.
Or: next time go Linux instead
You’re not safe there either, they had almost the same issue on the Linux version of the product a few months ago.
Antiviruses are not that common on Linux servers
Concerning linux, yesterday I was watching this video on computerphile on the crowdstrike incident. www.youtube.com/watch?v=rlaNMJeA1EA (*)
What is interesting is the comment made in the video on how chromebooks do software upgrades with dual “OS” disk-partitions and the ability to rollback to the previous OS-partition.
Question: is something like this also possible on one of the major linux distros? (debian, ubuntu, rocky, …) What would be the procedure to do this kind of “dual partition” system-upgrade?
(*) a great video that explained some of the technical details in a very clear way, including some very interesting ‘lessons learned’ and "what if"s If you ever need to explain crowdstrike to your manager, this video is a good start.
If I’m understanding the question right. This is what Immutable Linux distros do. Such as Nixos, fedora silver blue, and vanilla os.
I use nixos myself. But its quite different then most distros. The way you config it and install packages. For the better in my opinion.
Something like silverblue works pretty much the same as normal Fedora except you can’t install packages like you normally would. Because the system files can’t be edited. You mostly use flatpak for everything. Except the system updates. Which you have to reboot to switch to the new updated image. But past images are saved so you can rollback if needed.
From what I understand Chromebook os is a Immutable Linux distro same as the ones I mentioned. Just with Google with built in.
Yes, that was indeed the question.
If I read it correct, you need a specialised distro for this. You cannot do this on a off-the-shelf Debian or Ubuntu?
I’ll do some searching on ‘unmutable Linux’. Thanks for the (very quick) answer! 😀
There is a file system you can use. A alternative to ext4. I think its Btrfs. I never tried it. But it let’s you take snapshots that you can restore to. That’s not just system files but everything. And pretty sure you can use it with a disto like arch and Debian. I think that’s how snapshots work. But as I said I never actually tried it out.
just watched some videos on btrfs. Looks interesting indeed. I will look into it and perhaps do a test-installation and see how it goes.
Thanks for the info
I think the answers given here don’t quite fit the question.
Android and Windows have dedicated recovery partitions sectioned off on the disk that the OS never boots to and does not interact with during normal system operation.
If something goes wrong with the OS, then a signal is sent to the BIOS or other non-OS system to “hey, recover from this partition”.
Btrfs, NixOS, Guix, and other immutable (file-)systems, implement this via having a file system hierarchy protected by various permissions and softlinks to create a checkpoint of sorts, which is managed by a dedicated service that runs with the OS during normal system operation.
The drawback of these systems is that if something does go wrong with the OS, it cannot fallback to the BIOS to save it. The OS has to somehow signal to itself that it needs to restore from an earlier checkpoint.
Just watched some videos on btrfs. I start to understand the conceps. Perhaps I should also look into how exactly
On windows and the “recovery partion”. I guess what you say is that it should always be possiblity to boot in some kind of system, but it will not happen automatically as there is no way for a system to detect that the system completely hangs.
Thinking about it. It kind of strange. Embedded systems have watchdog interrupts that get fired if the system hangs (i.e. if it does not provide a “yes, I still live” signal every “x” milliseconds). Does a PC not have something similar?
embedded systems have the advantage of all using a single bootloader: Uboot, so the error path is always known and the software knows how to fallback.
With x86_64 systems it’s a mixed bag, and maybe the windows and linux bootloader knows what to do, but in most cases it will just signal an error and stop
@kristoff @purplemonkeymad Try openSUSE (RPM family), Garuda Linux (Arch family), or Spiral Linux (Debian stable) or siduction (Debian testing). All have snapper and on Btrfs do snapshots and rollback.
http://snapper.io/
@kristoff @purplemonkeymad But watch out: you will need a *huge* root partition, because it's very easy to fill it with snapshots and if it reaches 100% it *will* corrupt.
Btrfs is tricksy: it won't give a straight answer to `df -h` and there is no working equivalent of `fsck`.
@kristoff @purplemonkeymad All of these are in-place same-disk snapshots. The ChomeOS system is simpler and so can be automated but you only get 1 level of undo.
I don't know any mainstream OS that does dual-failover. Deepin Linux has 2 root partitions but I don't know how it uses them.
I think Valve SteamOS does something like this. It's not just for games: it has KDE built in. There are guides to getting it running on your own hardware. You will want AMD graphics, though.
As I mentioned earlier, I guess chrome is more like android where you have a much more strict seperation between the OS, applications and user data. (I remember reading about all the different partitions on android and what they are used for, but I should bruch up my knowledge on this).
Thanks for the additional into on brtfs! 👍
@kristoff Not really... On ChromeOS, there are no apps.
No apps at all ???
So it really is like a dumb terminal. Now I know why I never used a Chromebook😀
Funny, when I suggested that, I got down voted to oblivion
You’d be downvoted anyway today, thanks to crowdstrike
Which is the amount you’d get in the class action suit that they’re trying to prevent.
I thought this was going to be The Onion.
This is a typical mail a phishing campaign would send out, and we have already said to people "never believe this kind of messages. They are all fake.
Now, if a genuine company sends out mails with a genuine gift-cards (what the article on techcrunch seems to indicate) … this is NOT helpfull at all!!!
And that comming from a cybersecurity company (rolling-eyes)
Buy a $10 Xbox gift card and send us the code so that we can activate it. Then you get back to the shop and get $20 in cash - $10 for returning the card and $10 from us. We’ll pay the tax, too.
Sounds like a money laundering sceme!
No. They will just use the $10 card and leave. They will prey on the fact that “get a gift card for your computer troubles” is something a legitimate company has done.
This would be even funnier if there was exactly one $10 gift card everyone has to fight over.
After the lawsuits, it might be all they can afford
Actually the code didn’t work for some
The codes are as available as a system with the Falcon sensor
This is very misleading!
I mean, it makes it a little better, but I’d still be annoyed by it just being 10 bucks.
They might as well not do it. I’d be more insulted than a boss throwing a pizza party
Oh yeah for sure, I wonder if the thinking was “we’re about to lose a bunch of money, maybe limit it a little” 😂
Seriously, ten bucks won’t even cover delivery costs and fees for most things on Uber Eats. It’s almost worse than nothing, because with the gift card you’re obligated to give even more money to Uber Eats
OK. That makes a lot more sense.
Thank you for correcting the original post. 👍
Nice gesture I guess, but kinda just the modern day pizza party
How is this not The Onion?
<img alt="" src="https://lemmy.ml/pictrs/image/bbd55a16-28fe-45b2-8ad0-b162c5551a79.png">
<img alt="" src="https://lemmy.ml/pictrs/image/3b53b862-38e1-4b99-9e2c-75f6ec45c810.png">