It was mayhem at PakNSave a bit ago.

cos 3 of the big ones can’t do credit card transactions right now

Bitcoin still up and running perhaps people can use that

4:00PM here in Aus. Absolutely perfect for an early Friday knockoff.

Having had to fix >100 machines today, I’m not sure how a reimage would be less work. Restoring from backups maybe, but reimage and reconfig is so painful

It’s just one file to delete.

Probably have to go old-skool and actually be at the machine.

Do you have any source on this?

Np man. Thanks for mentioning it.

Enjoy your weekend unless you are in IT

Yeah that would be case in most laptops. So if bitlocker is involved as well what could be the possible fix.

It might not even be that. A lot of places have many servers (and even more virtual servers) running crowdstrike. Some places also seem to have it on endpoints too.

That's a lot of machines to manually fix.

They also gotta get the fix through a trusted channel and not randomly on the internet. (No offense to the person that gave the info, it’s maybe correct but you never know)

This sort of fix might not be accessible to a lot of employees who don’t have admin access on their company laptops, and if the laptop can’t be accessed remotely by IT then the options are very limited. Trying to walk a lot of nontechnical users through this over the phone won’t go very well.

And people need to travel to remote machines to do this in person

Might seem easy to someone with a technical background. But the last thing businesses want to be doing is telling average end users to boot into safe mode and start deleting system files.

If that started happening en masse we would quickly end up with far more problems than we started with. Plenty of users would end up deleting system32 entirely or something else equally damaging.

Yes but the recovery menu may have been configured to ask for administrative credentials, to prevent unwanted access to the computer, and then fixing the problem would take way longer.

I wouldn’t fix it if it’s not my responsibly at work. What if I mess up and break things further?

When things go wrong, best to just let people do the emergency process.

Gonna be a nice test of proper backups and disaster recovery protocols for some organisations

You hold down Shift while restarting or booting and you get a recovery menu. I don’t know why they changed this behaviour.

That was the dumbest thing to learn this morning.

lol he said it’s working

Looks like the laptops are able to be recovered with a bit of finagling, so fortunately they haven’t bricked everything.

And yeah staged updates or even just… some testing? Not sure how this one slipped through.

Got a link? I find it hard to believe that a process like that would stop because of a few windows machines not booting.

They can have all the clauses they like but pulling something like this off requires a certain amount of gross negligence that they can almost certainly be held liable for.

Forget lawsuits, they’re going to be in front of congress for this one

Nah. This has happened with every major corporate antivirus product. Multiple times. And the top IT people advising on purchasing decisions know this.

Don’t most indemnity clauses have exceptions for gross negligence? Pushing out an update this destructive without it getting caught by any quality control checks sure seems grossly negligent.

Not everyone is fortunate enough to have a seperate testing environment, you know? Manglement has to cut cost somewhere.

The London Stock Exchange went down. They’re fukd.

explain to the project manager with crayons why you shouldn’t do this

Can’t; the project manager ate all the crayons

Why is it bad to do on a Friday? Based on your last paragraph, I would have thought Friday is probably the best week day to do it.

Was it not possible for MS to design their safe mode to still “work” when Bitlocker was enabled? Seems strange.

rolling out an update to production that there was clearly no testing

Or someone selected “env2” instead of “env1” (#cattleNotPets names) and tested in prod by mistake.

Look, it’s a gaffe and someone’s fired. But it doesn’t mean fuck ups are endemic.

Crowdstrike runs at ring 0, effectively as part of the kernel. Like a device driver. There are no safeguards at that level. Extreme testing and diligence is required, because these are the consequences for getting it wrong. This is entirely on crowdstrike.

This didn’t go through Windows Update. It went through the ctowdstrike software directly.

OK, but people aren’t running Crowdstrike OS. They’re running Microsoft Windows.

I think that some responsibility should lie with Microsoft - to create an OS that

1. Recovers gracefully from third party code that bugs out
2. Doesn’t allow third party software updates to break boot

I get that there can be unforeseeable bugs, I’m a programmer of over two decades myself. But there are also steps you can take to strengthen your code, and as a Windows user it feels more like their resources are focused on random new shit no one wants instead of on the core stability and reliability of the system.

It seems to be like third party updates have a lot of control/influence over the OS and that’s all well and good, but the equivalent of a “Try and Catch” is what they needed here and yet nothing seems to be in place. The OS just boot loops.

yeah so you can’t get Chinese government spyware installed.

Not only does it (possibly) prevent booting, but it will also bsod it first so you’ll have to see how lucky you get.

Goddamn I hate crowdstrike. Between this and them fucking up and letting malware back into a system, I have nothing nice to say about them.

It’s just a fun coincidence that the azure outage was around the same time.

expect it to fail to boot any time you don’t have an Internet connection.

So, like the UbiSoft umbilical but for OSes.

Edit: name of publisher not developer.

And especially now the work week has slimmed down where no one works on Friday anymore

Excuse me, what now? I didn’t get that memo.

Yep, anything done on Friday can enter the world on a Monday.

I don’t really have any plans most weekends, but I sure as shit don’t plan on spending it fixing Friday’s fuckups.

Actually I was not even joking. I also work in IT and have exactly the same opinion. Friday is for easy stuff!

This is fine as long as you politely ask everyone on the Internet to slow down and stop exploiting new vulnerabilities.

BTW, I use Arch.

That’s advice so smart you’re guaranteed to have massive security holes.

This is AV, and even possible that it is part of definitions (for example some windows file deleted as false positive). You update those daily.

But probably not immediately, probably slowly over time as contracts come due.

To whom? All their competitors have had incidents like this too.

Puts on Crowdstrike?

I’ve worked as an IT architect at various companies in my career and you can definitely get support contracts for engineering support of RHEL, Ubuntu, SUSE, etc. That isn’t the issue. The issue is that there are a lot of system administrators with “15 years experience in Linux” that have no real experience in Linux. They have experience googling for guides and tutorials while having cobbled together documents of doing various things without understanding what they are really doing.

I can’t tell you how many times I’ve seen an enterprise patch their Linux solutions (if they patched them at all with some ridiculous rubberstamped PO&AM) manually without deploying a repo and updating the repo treating it as you would a WSUS. Hell, I’m pleasantly surprised if I see them joined to a Windows domain (a few times) or an LDAP (once but they didn’t have a trust with the Domain Forest or use sudoer rules…sigh).

Companies REALLY want that support clause in their infrastructure agreement.

RedHat, Ubuntu, SUSE - they all exist on support contracts.

Windows server, the OS, runs differently from desktop windows. So if you’re using desktop windows and expecting it to run like a server, well, that’s on you. However, I ran windows server 2016 and then 2019 for quite a few years just doing general homelab stuff and it is really a pain compared to Linux which I switched to on my server about a year ago. Server stuff is just way easier on Linux in my experience.

.

Not judging, but why wouldn’t you run Linux for a server?

And 60% of Azure is running Linux lol

doesn’t like a quarter of the internet kinda run on Azure?

Said another way, 3/4 of the internet isn’t on Unsure cloud blah-blah.

And azure is - shhh - at least partially backed by Linux hosts. Didn’t they buy an AWS clone and forcibly inject it with money like Bobby Brown on a date in the hopes of building AWS better than AWS like they did with nokia? MS could be more protectively diverse than many of its best customers.

If you want to run around without edr/xdr software be my guest.

I don’t think anyone is saying that… But picking programs that your company has visibility into is a good idea. We use Wazuh. I get to control when updates are rolled out. It’s not a massive shit show when the vendor rolls out the update globally without sufficient internal testing. I can stagger the rollout as I see fit.

Hmm. Is it safer to have a potentially exploitable agent running as root and listening on a port, than to not have EDR running on a well-secured low-churn enterprise OS - sit down, Ubuntu - adhering to best practice for least access and least-services and good role-sep?

It’s a pickle. I’m gonna go with “maybe don’t lock down your enterprise Linux hard and then open a yawning garage door of a hole right into it” but YMMV.

I’m so tired of all the fun…

CrowdCollapse

I work in a data center

I lost count

There was a point where words lost all meaning and I think my heart was one continuous beat for a good hour.

Well, I’ve seen some, but they usually don’t have automatic updates and generally do not have access to the Internet.

This is a crowdstrike issue specifically related to the falcon sensor. Happens to affect only windows hosts.

My current company does and I hate it so much. Who even got that idea in the first place? Linux always dominated server-side stuff, no?

Marginal? You must be joking. A vast amount of servers run on Windows Server. Where I work alone we have several hundred and many companies have a similar setup. Statista put the Windows Server OS market share over 70% in 2019. While I find it hard to believe it would be that high, it does clearly indicate it’s most certainly not a marginal percentage.

Not too long ago, a lot of Customer Relationship Management (CRM) software ran on MS SQL Server. Businesses made significant investments in software and training, and some of them don’t have the technical, financial, or logistical resources to adapt - momentum keeps them using Windows Server.

For example, small businesses that are physically located in rural areas can’t use cloud based services because rural internet is too slow and unreliable. Its not quite the case that there’s no amount of money you can pay for a good internet connection in rural America, but last time I looked into it, Verizon wanted to charge me $20,000 per mile to run a fiber optic cable from the nearest town to my client’s farm.

It’s only marginal for running custom code. Every large organization has at least a few of them running important out-of-the-box services.

Almost everyone, because the Windows server market share isn’t marginal at all.

Oh yeah I felt a great disturbance (900 alarms) in the force (Opsgenie)

Depends on your management solutions. Intel vPro can allow remote access like that on desktops & laptops even if they’re on WiFi and in some cases cellular. It’s gotta be provisioned first though.

VPro is massively a desktop feature. Servers have proper IPMI/iDrac with more features, and VPro fills (part of) that management gap for desktops. It’s pretty cool it’s not spoiled or disabled. Time to reburn all the desktops in east-07? VPro will be the way.

I think we’re defining disaster differently. This is a disaster. It’s just not one that necessitates restoring from backup.

Disaster recovery is about the plan(s), not necessarily specific actions. I would hope that companies recognize rerolling the server from backup isn’t the only option for every possible problem.
I imagine CrowdStrike pulled the update, but that would be a nightmare of epic dumbness if organizations got trapped in a loop.

Nah… just boot into safemode > cmd prompt: CD C:\Windows\System32\drivers\CrowdStrike

Then: del C-00000291*.sys

Exit/reboot.

Note this is easy enough to do if systems are booting or you dealing with a handful, but if you have hundreds of poorly managed systems, discard and do again.

Ah, you’re right. A poor turn of phrase.

I meant to say that intel brands their IPMI tools as AMT or vPro. (And completely sidestepped mentioning the numerous issues with AMT, because, well, that’s probably a novel at this point.)

Yeah, I agree with the sentiment, but this is pretty intense.

.

Bold of you to assume this person has friends!

no. after decades…not anymore. again and again. there is no good excel, apple users are not “educated”. just assholes caring about themselves and avoiding the need to learn. i did not yet hear any valid argument.

why not show compassion for driving bmw series 5 without a drivers license around kindergard?

i’m seriously just done with every windows,android,osx user forever. digital trumps. thats all they are. me. me. me.

Eh. This particular issue is making machines bluescreen.

Virtualized assets, If there’s a will there’s a way. Physical assets with REALLY nice KVMs… you can probably mount up an ISO to boot into to remove the stupid definitions causing this shit. Everything else? Yeah… you probably need to be there physically to fix it.

But I will note that many companies by policy don’t allow USB insertion… virtually or not. Which will make this considerably harder across the board. I agree that I think the majority could be fixed remotely. I don’t think the “other” categories are only 1%… I think there’s many more systems that probably required physical intervention. And more importantly… it doesn’t matter if it’s 100% or 0.0001%… If that one system is the one that makes the company money… % population doesn’t matter.

Not at my company. We’re all stuck in BSOD boot loops thanks to BitLocker, and our BIOS is password protected by IT. This is going to take weeks for them to manually update, on site, all the computers one by one.

Wait, monopolies are bad? This is the first I’ve ever heard of this concept. So much so that I actually coined the term “monopoly” just now to describe it.

The too big to fail philosophy at its finest.

They virtually blew up airports

It’s entertaining to me that our brand of monopolistic / oligarchic capitalism itself disincentivizes one-time costs that are greatly outweighed by the risk of future occurrences. Even when those one-time costs would result in greater stability and lower prices…and not even on that big of a time horizon. There is an army of developers that would be so motivated to work on a migration project like this. But then I guess execs couldn’t jet set around the world to hang out at the Crowdstrike F1 hospitality tent every weekend.

Crowd can run on linux, but it is running on all Linux machines? I’ve seen support for some RedHat machines, show me if there’s more

Just a little bit of a correction. Crowd strike publishes agents for Windows, Linux, and MacOS. Its just the particular broken agent is for Windows. They had a 1/3 chance of taking down any one of their three client bases

The company is not Windows based, they offer clients and agents for Linux and Mac as well (and there are some scattered reports they fucked up some of their Linux customers like this last month).

The Windows version of their software is what is broken.

I meant sssd, that I’ve seen working as a DC, if my memory serves me right. But I’ve never been the person setting up a domain controller, so.

EDIT: No, it doesn’t serve me right, from quick googling sssd can’t into DC’s. Kurwa.

Are there any 9P fans?

Good choice, tho. Is the image AI?

Definitely not small, our website is down so we can’t do any business and we’re a huge company. Multiply that by all the companies that are down, lost time on projects, time to get caught up once it’s fixed, it’ll be a huge number in the end.

Actually, it may have helped slow climate change a little

I’m in Australia so def Friday. Fu crowdstrike.

That’s one of those situations where they need to immediately hire local contractors to those remote sites. This outage literally requires touching the equipment. lol

I’d even say, fly out each individual team member to those sites… but even the airports are down.

Call the remote people in, deputize anyone who can work a command line, and prioritize the important stuff.

Yeah, there are USB sticks that identify as keyboards and run every keystroke saved in a text file on its memory in sequence. Neat stuff. The primary use case is of course corrupting systems or bruteforcing passwords without touching anything… But they work really well for executing scripts semi-automated.

Yep I have one of these, I think it’s called tiny. Very similar to an Arduino, and very easy to program.

I have had numerous managers tell me there was no time for QA in my storied career. Or documentation. Or backups. Or redundancy. And so on.

Completely justified reaction. A lot of the time tech companies and IT staff get shit for stuff that, in practice, can be really hard to detect before it happens. There are all kinds of issues that can arise in production that you just can’t test for.

But this… This has no justification. A issue this immediate, this widespread, would have instantly been caught with even the most basic of testing. The fact that it wasn’t raises massive questions about the safety and security of Crowdstrike’s internal processes.

From what I’ve heard and to play a devil’s advocate, it coincidented with Microsoft pushing out a security update at basically the same time, that caused the issue. So it’s possible that they didn’t have a way how to test it properly, because they didn’t have the update at hand before it rolled out. So, the fault wasn’t only in a bug in the CS driver, but in the driver interaction with the new win update - which they didn’t have.

You missed most important line:

>Make it proprietary

I can’t say about XP or 7 but they’ve definitely saved my bacon on Win10 before on my home system. And the company I work for has them automatically created and it made dealing with the problem much easier as there was a restore point right before the crowdstrike update. No messing around with the file system drivers needed.

I’d really recommend at least creating one at a state when your computer is working ok, it doesn’t hurt anything even if it doesn’t work for you for whatever reason. It’s just important to understand that it’s not a cure all, it’s only designed to help with certain issues (primarily botched updates and file system trouble).

That makes sense, although I must have just missed it, for people I work with to catch it.

had similar issues with specific Linux distros a month ago. It just didn’t get reported on because it didn’t have as wide of an impact.

Because most data center admins using linux are not so stupid to subscribe to remote updates from a third party. Linux issues happen when critical package vulnerabilities make it into the repo.

They skimp on QA?

Still a MS issue. Both testing and rollout procedures were inadequate

Bootable USB stick?

I’m never financially recovering from this. - George Kurtz

We’re already halfway there! reddit.com/…/cant_drive_your_car_due_to_update/#l…

Laid off one too many persons, finance bros taking over

I work for one of these behemoths, and there are a lot of adults in the room. When we began our transition off the prior, well known corporate AV, I never even heard of crowd strike.

The adults were asking reasonable questions: why such an aggressive migration timeline? Why can’t we have our vendor recommended exclusion lists applied? Why does this need to be installed here when previously agentless technologies was sufficient? Why is crowd strike spending monies on a Superbowl ad instead of investing back into the technology?

Either something fucky is a foot, as in this was mandated to our higher ups to m make the switch (why?), or, as is typically the case, the decision was made already and this ‘due diligence’ is all window dressing to CYA.

Who gives a shit about fines on SLAs if your vendor is going to foot the bill.

I’d be surprised if a data center didn’t.

Then you’d be surprised.

Sometimes there are options that are reasonable for individual users that don’t scale well to enterprise environments.

Also, the effectively gives attackers a secondary attack surface in addition to the normal remote access technologies that require the machine to be up and running to work.

.

There’s a shit ton more reasons than that, but in short: I highly doubt anyone suggesting a company just up and leave the MS ecosystem has spent any considerable amount of time in a sysadmin position.

That’s the annoying thing here. Everyone, particularly Lemmy where everyone runs Linux and FOSS, thinks this is a Microsoft/Windows issue. It’s not, it’s a Crowdstrike issue.

MS should have done testing as well. They can’t dodge this

How? I’m really curious to learn.

I am no expert. But afaik drivers normally are integrated into the kernel and intensively tested by several parties before getting onto your computer. Only for proprietary drivers this would be problematic under Linux.

Yeah it’s all fun and games until you actually convince someone and then you gotta explain how a bootloader works to someone who still calls their browser “Google”

It could if more people just used Linux

Look! We found the anti anti-microsoft user in their natural habitat of talking shit on social media. They are from the same family bootlickers and related to the Tossaladers. Don’t mention you are an alternative OS person around them or they may go into a blind rage.

Is it still at all Austiney though? With all the companies moving to Austin, I wonder how much of the original Austin is left.

That’s why I run 3 at once…

Also, enterprise infrastructure running on a Mac? It’s something I’ve never heard of in over a decade and a half of working in tech. And now I’m curious. Is it a thing?

Yeah the more I read it seems some crucial security software deployed bad patch.

I’m sure whatever OS would dominate would face widespread issues just by the numbers.

But to be fair it’s fun to make fun of Windows/MSFT :p

Microsoft installs security updates automatically.