XPost: alt.business.offshore, talk.politics.guns, alt.computer.security
XPost: sac.politics, talk.politics.misc

https://apnews.com/article/microsoft-crowdstrike-outage-australia- internet-banks-media-0a5f792b6571b37a35181d64028fefc4

WELLINGTON, New Zealand (AP) � A widespread Microsoft outage disrupted
flights, banks, media outlets and companies around the world on Friday.

Escalating disruptions continued hours after the technology company said
it was gradually fixing an issue affecting access to Microsoft 365 apps
and services.

The website DownDectector, which tracks user-reported internet outages, recorded growing outages in services at Visa, ADT security and Amazon, and airlines including American Airlines and Delta.

News outlets in Australia reported that airlines, telecommunications
providers and banks, and media broadcasters were disrupted as they lost
access to computer systems. Airlines in the U.K., Europe and India
reported problems and some New Zealand banks said they were offline.

Microsoft 365 posted on X that the company was �working on rerouting the impacted traffic to alternate systems to alleviate impact in a more
expedient fashion� and that they were �observing a positive trend in
service availability.�

The company did not respond to a request for comment. It did not explain
the cause of the outage further.

New Zealand�s acting prime minister, David Seymour, said on X that
officials in the country were �moving at pace to understand the potential impacts� of the global problem.

�I have not currently received any reporting to indicate these issues are related to malicious cyber security activity,� Seymour wrote. The issue
was causing �inconvenience� for the public and businesses, he added.

Israel�s Cyber Directorate that it was among the places affected by the
global outages, attributing them to a problem with the cybersecurity
platform Crowdstrike. The outage also hit the country�s post offices and hospitals, according to the ministries of communication and health.

Meanwhile, major disruptions reported by airlines and airports grew.

In the U.S., the FAA said the airlines United, American, Delta and
Allegiant had all been grounded. Travelers at Los Angeles International
Airport slept on a jetway floor, using backpacks and other luggage for
pillows, due to a delayed United flight to Dulles International Airport
early on Friday.

Airlines, railways and television stations in the United Kingdom were
being disrupted by the computer issues. The budget airline Ryanair, train operators TransPennine Express and Govia Thameslink Railway, as well as broadcaster Sky News are among those affected.

�We�re currently experiencing disruption across the network due to a
global third party IT outage which is out of our control,�� Ryanair said.
�We advise all passengers to arrive at the airport at least three hours
before their scheduled departure time.�

Edinburgh Airport said the system outage meant waiting times were longer
than usual. London�s Stansted Airport said some airline check-in services
were being completed manually, but flights were still operating.

Widespread problems were reported at Australian airports, where lines grew
and some passengers were stranded as online check-in services and self-
service booths were disabled. Passengers in Melbourne queued for more than
an hour to check in, although flights were still operating.

Airline operations in India were disrupted, affecting thousands.

The privately-owned IndiGo airlines told the passengers on X that the
Microsoft outage on Friday impacted airline operations in India, inconveniencing thousands of passengers.

Several airlines made statements on X saying that they were following
manual check-in and boarding processes and warned of delays due to
technical problems.

Hong Kong�s Airport Authority said in a statement that the outage was
affecting some airlines at the city�s airport and they had switched to
manual check-in.

Amsterdam�s Schiphol Airport said on its website that the outage was
having a �major impact on flights� to and from the busy European hub. The outage came on one of the busiest days of the year for the airport, at the start of many people�s summer vacations.

In Germany, Berlin Airport said Friday morning that �due to a technical
fault, there will be delays in check-in.� It said that flights were
suspended until 10 a.m. (0800GMT), without giving details, German news
agency dpa reported.

Zurich Airport, the busiest in Switzerland, suspended landings on Friday morning but said flights headed there that were already in the air were
still allowed to land. It said that several airlines, handling agents and
other companies at the airport were affected, and that check-in had to be
done manually in some cases, but that the airport�s own systems were
running.

At Rome�s Leonardo da Vinci airport, some US-bound flights had posted
delays, while others were unaffected.

Australia appeared to be severely affected by the issue. Outages reported
on the site DownDetector included the banks NAB, Commonwealth and Bendigo,
and the airlines Virgin Australia and Qantas, as well as internet and
phone providers such as Telstra.

Hospitals in Britain and Germany also reported problems.

Several practices within the National Health Service in England reported
that the outage had hit their clinical computer system that contains
medical records and is used for scheduling.

�We have no access to patient clinical records so are unable to book appointments or provide information,� Church Lane Surgery in Brighouse in Northern England said on the social media platform X. �This is a national problem and is being worked on as a high priority.�

The NHS did not immediately respond to requests for comment.

In northern Germany, the Schleswig-Holstein University Hospital, which has branches in Kiel and Luebeck, said it had canceled all elective surgery scheduled for Friday, but patient and emergency care were unaffected.

News outlets in Australia � including the ABC and Sky News � were unable
to broadcast on their TV and radio channels, and reported sudden shutdowns
of Windows-based computers. Some news anchors broadcast live online from
dark offices, in front of computers showing �blue screens of death.�

In South Africa, at least one major bank said it was experiencing
�nationwide service disruptions� as customers reported they were unable to
make payments using their bank cards at grocery stores and gas stations.

The New Zealand banks ASB and Kiwibank said their services were down.

An X user posted a screenshot of an alert from the company Crowdstrike
that said the company was aware of �reports of crashes on Windows hosts� related to its Falcon Sensor platform. The alert was posted on a password- protected Crowdstrike site and could not be verified. Crowdstrike did not respond to a request for comment.


--
We live in a time where intelligent people are being silenced so that
stupid people won't be offended.

Durham Report: The FBI has an integrity problem. It has none.

No collusion - Special Counsel Robert Swan Mueller III, March 2019.
Officially made Nancy Pelosi a two-time impeachment loser.

Thank you for cleaning up the disaster of the 2008-2017 Obama / Biden
fiasco, President Trump.

Under Barack Obama's leadership, the United States of America became the
The World According To Garp. Obama sold out heterosexuals for Hollywood
queer liberal democrat donors.

President Trump boosted the economy, reduced illegal invasions, appointed dozens of judges and three SCOTUS justices.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 20/07/2024 02:29, Leroy N. Soetoro aka our village Idiot wrote:

WELLINGTON, New Zealand (AP) — A widespread Microsoft outage disrupted flights, banks, media outlets and companies around the world on Friday.

Nothing to do with Microsoft. CrowdStrike is not a Microsoft company.
Microsoft creates Windows operating system that allows 3rd party
developers to create and sell their own security products to run on
Windows. Microsoft has now blocked their products from running on
Windows until CrowdStrike allows Microsoft to have access to the source
code. Of course Microsoft patches will take time to propagate and users
have to decide whether to install and block CrowdStrike products.
Microsoft can't force windows users to block anything!.

I understand American authorities have allowed Microsoft for this temp measures. Blocking software is generally not allowed under any
jurisdiction.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.computer.security

On 7/19/2024 9:29 PM, Leroy N. Soetoro wrote:

https://apnews.com/article/microsoft-crowdstrike-outage-australia- internet-banks-media-0a5f792b6571b37a35181d64028fefc4

WELLINGTON, New Zealand (AP) — A widespread
...
An X user posted a screenshot of an alert from the company Crowdstrike
that said the company was aware of “reports of crashes on Windows hosts” related to its Falcon Sensor platform. ... Crowdstrike did not
respond to a request for comment.

One of the jokes I liked, is "the company has decided to rebrand itself -- Crowdstrike".

I like the airport photo. Such orderly queuing.

https://www.bbc.com/news/articles/cp4wnrxqlewo

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services were affected because their backends were
affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

CrowdStrike is not a Microsoft company.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 2024-07-20 16:43, Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had deployed crowdstrike.

were affected because their backends were

affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

Nothing? Windows doesn't solve all corporate needs. That's why there's an active and necessary third party ecosystem.

The fact that a piece of third party software could brick a Windows
system isn't really very great.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/20/2024 8:40 PM, Alan wrote:

On 2024-07-20 16:43, Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had
deployed crowdstrike.

were affected because their backends were

affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

Nothing? Windows doesn't solve all corporate needs. That's why there's an
active and necessary third party ecosystem.

The fact that a piece of third party software could brick a Windows system isn't really very great.

If the software is by a white hat, you sign and attest it, and
then it will pass whatever checks you use to "judge" the
integrity of pieces of software. You're either inside the fence,
or you're outside the fence.

Even Linux has been given a signed shim. And you don't get those
in the mail. Someone from a distro, has to buy an airplane ticket
and fly somewhere, for the signing. (There was a blog entry, where
a dev described what he was doing.) Presumably an air gapped machine,
a locked room, where the signing is done. They were doing this
some months ago, for Secure Boot, because as of July 2024, we're on
a new signing key and the previous one is revoked. You might see
TPM WMI activity in Eventvwr.msc about it. Even if you're not
using Secure Boot, some Windows Updates *still* did key revocation.
As of some time in July 2024, the key revocation final step is pushed out.

Just so you know, just about every Secure Enclave and Sekret Squirrel
attempt to secure OSes, has failed. Something was pinned off on Intel processors, because there is an exploit for it, and when malware
gets in it, it's worse than not having the Enclave at all. So Microcode
pins it off. And a side effect, is the machine which gets pinned off
like that (or pinned off in silicon by now), can't play 4K BluRay discs
in software. Without an enclave to use, the software can only play
at 1080 resolution.

It's just a whole lot of silly stuff (and "humans are involved").
That's how you know whatever effort is made, it will be silly.
For example, what happened to Pluton ??? There was P.R. information,
and nobody has said a word about it for the last two years. Silence.
I suppose this is to be expected, is normal, just like FDE was
announced, and the implementation was apparently delayed, the first
gen was a crypto disaster, and now... there is FDE in just about
every "big" storage device. A USB stick has a private version, if
available (would not be advertised as FDE, would have another name).

"Microsoft Pluton

Pluton is a Microsoft-designed security subsystem that implements a
hardware-based root of trust for Azure Sphere. It includes a security
processor core, cryptographic engines, a hardware random number generator,
public/private key generation, asymmetric and symmetric encryption,
support for elliptic curve digital signature algorithm (ECDSA)
verification for secured boot, and measured boot in silicon to support
remote attestation with a cloud service, and various tampering counter-measures.
"

In other words, a TPM without an exposed hardware bus to allow hacking.
And no motherboard jumper to disable it.
And it can't be unplugged. It was deployed in at least a couple
AMD laptop processors (that means it is in the field, to some
known or unknown extent).

https://forums.freebsd.org/threads/microsoft-pluton-processor-inside-any-amd-intel-qualcom-processors-from-2022.85329/

"Pluton solves nothing but introduces a deadly vulnerability,
a single point of failure for everybody."

Let us just hope there is a microcode bit that can neuter it, just
like previous efforts had a control of some sort.

There are a *lot* of random processors, inside a computer. A lot.

When W11 24H2 comes in (moments from now!!! like real soon!!!),
they will be attempting to encrypt all the C: drives. If you have W11Home,
the method will be FDE based. If you have W11Pro, the method will be Bitlocker based.
Will they tell you they did it ? Beuller ?

And nobody cares if you're inconvenienced, like some people today
had their computer recovery made more difficult, by their C: drive
being encrypted (CrowdStrike).

What we're doing, is letting people less clever than us,
take over our computers. Crowdstrike! Klunk. Here, have a
pair of handcuffs, they're free and everyone can have some.
Pluton! (God bless you). Oh, sorry, that was just a sneeze.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 2024-07-20 20:19, Paul wrote:

On 7/20/2024 8:40 PM, Alan wrote:

On 2024-07-20 16:43, Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had >>> deployed crowdstrike.

were affected because their backends were

affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

Nothing? Windows doesn't solve all corporate needs. That's why there's an >>> active and necessary third party ecosystem.

The fact that a piece of third party software could brick a Windows system isn't really very great.

If the software is by a white hat, you sign and attest it, and
then it will pass whatever checks you use to "judge" the
integrity of pieces of software. You're either inside the fence,
or you're outside the fence.

Sorry, but it's not that simple.

Even signed software should be killed when it tries to access a
privileged memory address.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had deployed crowdstrike.

<https://portal.office.com/adminportal/home#/servicehealth/history/:/alerts/MO821132>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/20/2024 12:30 AM, Editor wrote:

Nothing to do with Microsoft. CrowdStrike is not a Microsoft company.

True. The primary lesson from this is that so-called
Agile programming and drip-feed updates are a basic system
integrity problem. But people have been convinced that
dripfeed means secure, shiny and new.

I haven't seen a single tech media wiseacre question why an
AV driver was being swapped out as a passive dripfeed update
in the first place. Probably hundreds of companies, including MS,
are routinely usong their customers as unpaid beta testers. With
an MS Office update the IT people will at least test it themselves
before they distribute it "across the enterprise". But there's
increasing dripfeed going on even in IT-supervised companies.

This one wasn't Microsoft's fault, but it just as well could
have been. MS have also instigated dripfeed updates and
plenty of problems have happened:

https://www.pcworld.com/article/2249204/microsoft-confirms-broken-windows-11-update-offers-workaround.html

But now people have been conditioned to believe that if they
turn off the seat-of-the-pants update faucet then they'll be
instantly attacked by malware. (There are questions posted
regularly on Reddit about what to do with Win10 computers
after October 2025, as though any computer without the latest
dripfeed will turn into a pumpkin.)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/20/2024 11:58 PM, Alan wrote:

On 2024-07-20 20:19, Paul wrote:

On 7/20/2024 8:40 PM, Alan wrote:

On 2024-07-20 16:43, Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had >>>> deployed crowdstrike.

were affected because their backends were

affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

Nothing? Windows doesn't solve all corporate needs. That's why there's an >>>> active and necessary third party ecosystem.

The fact that a piece of third party software could brick a Windows system isn't really very great.

If the software is by a white hat, you sign and attest it, and
then it will pass whatever checks you use to "judge" the
integrity of pieces of software. You're either inside the fence,
or you're outside the fence.

Sorry, but it's not that simple.

Even signed software should be killed when it tries to access a privileged memory address.

https://www.techrepublic.com/article/crowdstrikes-security-software-targets-bad-guys-not-their-malware/

"On the detection front, we need world-class, host-based detection;
something that operates at the kernel level and detects the
most sophisticated attacks," mentions Brian Kelly, CSO for Rackspace.
"That is where CrowdStrike shines."

Aiming for the bad actors, not their malware...
"

Windows only uses two Rings. The non-privileged level (Ring 3) is where applications
run. Those are the things that have rules applied to them.

The Privileged Ring 0, is where the kernel and drivers live. The drivers are
a modular extension of the kernel, there to make the best usage of custom hardware added to a system (the Realtek sound chip, the Realtek NIC, the
NVidia video card).

The design, was never intended for malware or antivirus scenarios.
What you propose, requires another ring, and the end result is
the "new ring" is no less vulnerable, than the Ring 3 for applications.
It's just another application ring. And we know how well that worked.

Since the state of Windows documentation is poor, the only way we
will know the operating system model has changed, is if we see
the Ring model of Linux change. Watching competitors copy features,
will admit to what those features are.

The OS does not need more "walls". That's been tried and is a failure.
Every time you put up an additional wall, that meets at an odd angle
and has a gap in it, it's an attack surface, and someone
fuzzes it until they find a hole. In the memory mapper, making
code space read-only, preventing the PC register from jumping into
data segments, these are things that work, but... nobody builds
challenges based on breaking through those. As OSes become more
and more bloated, there are just more and more attack surfaces,
like things with crypto holes in it. (Crypto schemes are invariably
poorly done, when kept secret and the "right people" in the public
space have not reviewed them. Crypto is so fraught, "everyone"
has to look at proposed schemes. No one crypto expert, knows it all.)

To beat a rootkit, you have to be a rootkit.

Having the OS company craft the solution, is one way to ensure the
effort to do these things, is a "best effort". If your goal is
"I don't test often, but when I do, I test in Production",
you're the wrong partner.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/21/2024 8:02 AM, Paul wrote:

Even signed software should be killed when it tries to access a privileged memory address.

https://www.techrepublic.com/article/crowdstrikes-security-software-targets-bad-guys-not-their-malware/

"On the detection front, we need world-class, host-based detection;
something that operates at the kernel level and detects the
most sophisticated attacks," mentions Brian Kelly, CSO for Rackspace.
"That is where CrowdStrike shines."

Aiming for the bad actors, not their malware...
"

Windows only uses two Rings. The non-privileged level (Ring 3) is where applications
run. Those are the things that have rules applied to them.

I think the reactions happening are mainly emotional. People
have got used to regarding tech people as powerful science mages
who conjure Siri and Copilot and make our lives work. The general
theme in the news was that "we were reminded of how dependent
we are on technology". No shit. But no one's learning a lesson. We
just want to know who to blame for this bizarre fluke.

It's interesting how short our memories have become. My parents
used to keep plenty of candles and packed Dinty Moore beef stew
onto the shelves over the cellar stairs. Everyone had a fireplace.

I backed up food during the pandemic, I keep working flashlights
around, and I think I have a candle somewhere.

When a hurricane hit NYC, the yuppies living via cellphone in
Manhattan had no way to even get a weather report, and of course
their DoorDash lunch was already eaten. So they undertook the
dangerous trek uptown, in search of civilization and a working electrical outlet to charge their cellphones.

If a major Carrington event somehow burns out computer chips,
everything will stop. Manhattan will starve within days. Suburbanites
will be reduced to looking up which weeds are edible among the plants
that they haven't yet sprayed with RoundUp. Only rural, agrarian folk
will have a chance. But on the bright side, we'll surely string up
whoever was at fault. :)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 21/07/2024 12:58, Newyana2 wrote:

On 7/20/2024 12:30 AM, Editor wrote:

Nothing to do with Microsoft. CrowdStrike is not a Microsoft company.

  True. The primary lesson from this is that so-called
Agile programming and drip-feed updates are a basic system
integrity problem. But people have been convinced that
dripfeed means secure, shiny and new.

  I haven't seen a single tech media wiseacre question why an
AV driver was being swapped out as a passive dripfeed update
in the first place. Probably hundreds of companies, including MS,
are routinely usong their customers as unpaid beta testers. With
an MS Office update the IT people will at least test it themselves
before they distribute it "across the enterprise". But there's
increasing dripfeed going on even in IT-supervised companies.

  This one wasn't Microsoft's fault, but it just as well could
have been. MS have also instigated dripfeed updates and
plenty of problems have happened:

https://www.pcworld.com/article/2249204/microsoft-confirms-broken-windows-11-update-offers-workaround.html

  But now people have been conditioned to believe that if they
turn off the seat-of-the-pants update faucet then they'll be
instantly attacked by malware. (There are questions posted
regularly on Reddit about what to do with Win10 computers
after October 2025, as though any computer without the latest
dripfeed will turn into a pumpkin.)

CrowdStrike made a very simple error of judgement. Normally, when
updates are released, they are done in a controlled manner. This means
that updates are offered to a selection few customers in a particular geographical area. For whatever reasons, CrowdStrike decided to update everybody and this resulted a meltdown. They tried to blame Microsoft
first but Microsoft retaliated by stopping their servers.

With VPS, users are responsible for their own servers and in this case CrowdStrike were responsible for the misconfiguration of their server or servers. These servers are hosted on Microsoft Azure so everybody
started blaming Microsoft. I have a VPS server on Azure but it is my responsibility for it. I can do whatever I want as long as it is legal
and Microsoft won't touch it. The only time Microsoft gets involved is
when I can't resolve something and so Microsoft will handle it and
charge me for the service.

Microsoft doesn't get involved with Customers servers. They don't even
do backups as far as I know. I do my own backups once a week because I
don't have anything useful going on. Just a simple Joomla website which
changes once in a blue moon!!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/21/2024 5:07 PM, Chris wrote:

Alan <nuh-uh@nope.com> wrote:

On 2024-07-20 16:43, Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had >>> deployed crowdstrike.

were affected because their backends were

affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

Nothing? Windows doesn't solve all corporate needs. That's why there's an >>> active and necessary third party ecosystem.

The fact that a piece of third party software could brick a Windows
system isn't really very great.

It's not just some desktop application. By necessity it is a pretty
low-level service so if goes rogue can be damaging. Although, I do get your point. I wonder if something like the Mac's SIP would have saved the situation?

I kinda wonder what would happen in Safe Mode.
Drivers are not loaded in Safe Mode (with some selection options).
What about other garbage ? Is it loaded ?

I noticed in a few of the articles, there were complaints about
"hard to get into Safe Mode". Well, not at my house. Safe Mode
is in my boot menu, as an option.

bcdedit /set {bootmgr} displaybootmenu True

I also have Hibernation turned off, so Fast Start cannot be used.

powercfg /h off

My menu where I select the Windows OS to run, has an F8 option in it,
due to the first command above.

The TDSS rootkit, I think it patched (changed the size of) atapi.sys ,
and likely atapi.sys must always load, whether Safe Mode or regular boot.
While Safe Mode can avoid some junk, it can't avoid all of it.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/21/2024 3:45 PM, Editor wrote:

On 21/07/2024 12:58, Newyana2 wrote:

On 7/20/2024 12:30 AM, Editor wrote:

Nothing to do with Microsoft. CrowdStrike is not a Microsoft company.

  True. The primary lesson from this is that so-called
Agile programming and drip-feed updates are a basic system
integrity problem. But people have been convinced that
dripfeed means secure, shiny and new.

  I haven't seen a single tech media wiseacre question why an
AV driver was being swapped out as a passive dripfeed update
in the first place. Probably hundreds of companies, including MS,
are routinely usong their customers as unpaid beta testers. With
an MS Office update the IT people will at least test it themselves
before they distribute it "across the enterprise". But there's
increasing dripfeed going on even in IT-supervised companies.

  This one wasn't Microsoft's fault, but it just as well could
have been. MS have also instigated dripfeed updates and
plenty of problems have happened:

https://www.pcworld.com/article/2249204/microsoft-confirms-broken-windows-11-update-offers-workaround.html


  But now people have been conditioned to believe that if they
turn off the seat-of-the-pants update faucet then they'll be
instantly attacked by malware. (There are questions posted
regularly on Reddit about what to do with Win10 computers
after October 2025, as though any computer without the latest
dripfeed will turn into a pumpkin.)

CrowdStrike made a very simple error of judgement. Normally, when
updates are released, they are done in a controlled manner. This means
that updates are offered to a selection few customers in a particular geographical area. For whatever reasons, CrowdStrike decided to update everybody and this resulted a meltdown. They tried to blame Microsoft
first but Microsoft retaliated by stopping their servers.

With VPS, users are responsible for their own servers and in this case CrowdStrike were responsible for the misconfiguration of their server or servers. These servers are hosted on Microsoft Azure so everybody
started blaming Microsoft. I have a VPS server on Azure but it is my responsibility for it. I can do whatever I want as long as it is legal
and Microsoft won't touch it. The only time Microsoft gets involved is
when I can't resolve something and so Microsoft will handle it and
charge me for the service.

Microsoft doesn't get involved with Customers servers. They don't even
do backups as far as I know. I do my own backups once a week because I
don't have anything useful going on. Just a simple Joomla website which changes once in a blue moon!!

Microsoft does play a part.

The WHQL lab "approved" the driver level code that runs in
Ring0, knowing the details of the attack surface such an
approach would bring.

It's kinda like this.

<son> "Dad, I'd like to borrow the car for a date tonight.
And, I plan to drive faster than the speed limit, to impress my date."

<dad> "Son, I'm glad you admitted what you plan to do.
Here are the keys. Enjoy yourself."

Paul


Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/20/2024 11:58 PM, Alan wrote:

On 2024-07-20 20:19, Paul wrote:

On 7/20/2024 8:40 PM, Alan wrote:

On 2024-07-20 16:43, Chris wrote:

Andy Burns <usenet@andyburns.uk> wrote:

Editor wrote:

Nothing to do with Microsoft.

Except Microsoft's services

The MS services affected were ones provided by a corporation who also had >>>> deployed crowdstrike.

were affected because their backends were

affected by crowdstrike ...

What does that say about microsoft's own threat and vulnerability
tracking products, that they use someone else's?

Nothing? Windows doesn't solve all corporate needs. That's why there's an >>>> active and necessary third party ecosystem.

The fact that a piece of third party software could brick a Windows system isn't really very great.

If the software is by a white hat, you sign and attest it, and
then it will pass whatever checks you use to "judge" the
integrity of pieces of software. You're either inside the fence,
or you're outside the fence.

Sorry, but it's not that simple.

Even signed software should be killed when it tries to access a privileged memory address.

There is a Youtube video by Dave Plummer (retired Microsoft employee),
and it contains a strawman as to how the Crowdstrike thing works.
The white hat code of ethics is not violated, because this is a
"hint" at how it works, with suitably thin details. It's no more
than a guess, in other words, or is worded like it is a guess.

"Crowdstrike outage explained by former Windows Developer..."

https://youtu.be/wAzEJxOo1ts

So the detail I missed, is the Crowdstrike is a driver, meaning
Safe Mode could avoid loading it. However, their driver is
"marked" as "boot material", implying it is essential to booting
the machine (like I described a SATA driver as being essential
in Safe Mode). The Crowdstrike driver then, is still loaded
in Safe Mode, or should be.

The Crowdstrike driver is WHQL approved and signed (attesting it's
been tested). The Crowdstrike driver does not change often.
It does not change often, because it's a P-code interpreter
(or that's the "style" or "architecture approach" to what they're
doing).

P-code, is a terminology from the Pascal language era (we used that
at work). Pascal could be "compiled" to assembler, or it could be "interpreted". Some more modern languages also offer these sorts
of options. When a person refers to P-code, that's a reference
to the old Pascal way of having a higher level language than
assembler, and an interpreter runs that dynamically at run time
(converts a P-code opcode into machine language operations, using
short subroutines).

That means, when an AV definition comes into the machine, the
Crowdstrike driver "interprets" the P-code. That makes the scheme
"agile", so code written an hour ago, can be pushed out to 8 million
machines at once. The P-code shipped of course, is NOT WHQL
certified.

Well, what do you need to do in an interpreter ? You need to
sanitize the instruction stream thoroughly. In the Pascal era
(tightly typed), the Pascal interpreter would check that
an array access, did not go past array boundaries. If
you declared I[16], say, an array of 16 integers, the interpreter
would check that the index was between 0..15 and not outside
of that range (in other words, range checking is enabled).
Other languages might not sanitize like that
(languages slightly more likely to crash). Not
all HLL are tightly typed.

So now that we know that the Crowdstrike "driver" only exists
to punch a hole in the kernel infrastructure (get WHQL approval
and signing), then it is up to the "sanitizing code" in the
"driver", to not fuck up and allow illegal operations
to be processed and not stopped in time. Like the array example,
each P-code needs to be examined so that it has the
expected level of side-effects. And does not "drop the kernel"
because it did something naughty in an environment (Ring0)
with few actual protections.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Paul wrote:

Microsoft does play a part.

The WHQL lab "approved" the driver level code that runs in
Ring0, knowing the details of the attack surface such an
approach would bring.

And further than that, the crowdstrike driver is marked as a boot-start
driver, so if it fails to load, the machine won't continue.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Andy Burns wrote:

Paul wrote:

Microsoft does play a part.

The WHQL lab "approved" the driver level code that runs in
Ring0, knowing the details of the attack surface such an
approach would bring.

And further than that, the crowdstrike driver is marked as a boot-start driver, so if it fails to load, the machine won't continue.

That's very worrying.
1. Crowdstrike are fully licensed to issue updates into crucial areas of Windows.
2. MS don't do their own validation.
3. Question; how many other companies have similar privileged access?

Ed

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 10:57 AM, Ed Cryer wrote:

3. Question; how many other companies have similar privileged access?

Anyone who you allow. Notable in all this is that all these failed
computers were set up to allow CrowdStrike to do as they liked
without notice. Why are regular driver updates required? What sort
of IT people are allowing this and why aren't they being looked at?

Microsoft and others have also caused big problems in the past.
Maybe not so clearly obvious in terms of commercial products
like airlines failing, but buggy updates are nothing new.

You might be surprised at how many developers have no idea
how their software runs or what it requires. That's why MS started
locking down system files. People would install any old thing with
no understanding of versions or dependencies. Even Microsoft have
done that. There was a notable case at one time with the richedit
library that's used in Write, Wordpad and a lot of 3rd-party software.
At one time there were 3 versions that all had the same file name
and version. Only the file size varied! Installing the wrong one could
mess up a system. Very few developers know anything about those
issues. They depend on their installer tools to sort it out.

Into that scenario then came the idea of spyware telemetry as
routine and calling home for dripfeed updates. You might have dozens
of programs running dripfeed updates without asking. Why? Especially
with drivers. That's crazy. If there's no problem then why fix it?
Because it's the latest fad. It's preparing the public for rental software
by taking control away from the person who actually uses the software.
It's also satisfying the popular preconception that newer is better and
more newer is more better. That's how we got the totally indefensible
idea of agile programming. Look at the people in the Firefox newsgroup
who can't wait to get the latest version. Why? These are tech-literate
people, yet they've fallen for the idiocy that all software should update
as much as possible.

Updates used to be mainly to add new features. Testing usually resulted
in solid software. For example, I still use Paint Shop Pro 5 from 1999.
There
was one update 5.01 and I think there was an update 5.03. As I recall it
was to deal with some issue with ZIP drives. It's still stable 25 years
later.
(I also have PSP 16, but that's a bloated mess put out by Corel, with no notable improvements.)

We don't even know what's changed in the latest version of most
software. Concurrent with this seat-of-the-pants manic updating has been
a trend to obscure what, if anything, is in the latest update. I personally avoid updating anything until there's been time for reviews and info. Most
big corporations do the same. They test out updates before installing
across
the "fleet" of computers. SOHo users are now serving as unpaid beta
testers, effectively unable to stop Windows dripfeed updates and largely unaware of
3rd-party updates.

Long story short, if you're not using a firewall and blocking all
this traffic,
disabling updates that you haven't specifically needed and instigated, then your computer probably has all sorts of entities coming and going -- spying, installing updates, etc, without telling you. But the airline IT people
should
have known better.

Comically, I was reading that Southwest escaped the problems because
they're still running a combination of Win 3.1 and 95. :)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Ed Cryer wrote:

That's very worrying.
1. Crowdstrike are fully licensed to issue updates into crucial areas of Windows.

only for crowdstrike customers, not joe bloggs

2. MS don't do their own validation.

microsoft have validated and WHQL-signed the crowdstrike driver, the
driver doesn't change (or requires resigning when it does), but the
downloaded definition files changed, and caused the driver to crash. crash

3. Question; how many other companies have similar privileged access?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Newyana2 wrote:

Notable in all this is that all these failed
computers were set up to allow CrowdStrike to do as they liked
without notice. Why are regular driver updates required? What sort
of IT people are allowing this and why aren't they being looked at?

if you want to catch 0-day malware, you can't wait a week while your IT
dept test definition updates several times per day

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

TmV3eWFuYTIgd3JvdGU6DQo+IE9uIDcvMjIvMjAyNCAxMDo1NyBBTSwgRWQgQ3J5ZXIgd3Jv dGU6DQo+IA0KPj4gMy4gUXVlc3Rpb247IGhvdyBtYW55IG90aGVyIGNvbXBhbmllcyBoYXZl IHNpbWlsYXIgcHJpdmlsZWdlZCBhY2Nlc3M/DQo+Pg0KPiANCj4gIMKgIEFueW9uZSB3aG8g eW91IGFsbG93LiBOb3RhYmxlIGluIGFsbCB0aGlzIGlzIHRoYXQgYWxsIHRoZXNlIGZhaWxl ZA0KPiBjb21wdXRlcnMgd2VyZSBzZXQgdXAgdG8gYWxsb3cgQ3Jvd2RTdHJpa2UgdG8gZG8g YXMgdGhleSBsaWtlZA0KPiB3aXRob3V0IG5vdGljZS4gV2h5IGFyZSByZWd1bGFyIGRyaXZl ciB1cGRhdGVzIHJlcXVpcmVkPyBXaGF0IHNvcnQNCj4gb2YgSVQgcGVvcGxlIGFyZSBhbGxv d2luZyB0aGlzIGFuZCB3aHkgYXJlbid0IHRoZXkgYmVpbmcgbG9va2VkIGF0Pw0KPiANCj4g IMKgIE1pY3Jvc29mdCBhbmQgb3RoZXJzIGhhdmUgYWxzbyBjYXVzZWQgYmlnIHByb2JsZW1z IGluIHRoZSBwYXN0Lg0KPiBNYXliZSBub3Qgc28gY2xlYXJseSBvYnZpb3VzIGluIHRlcm1z IG9mIGNvbW1lcmNpYWwgcHJvZHVjdHMNCj4gbGlrZSBhaXJsaW5lcyBmYWlsaW5nLCBidXQg YnVnZ3kgdXBkYXRlcyBhcmUgbm90aGluZyBuZXcuDQo+IA0KPiAgwqAgWW91IG1pZ2h0IGJl IHN1cnByaXNlZCBhdCBob3cgbWFueSBkZXZlbG9wZXJzIGhhdmUgbm8gaWRlYQ0KPiBob3cg dGhlaXIgc29mdHdhcmUgcnVucyBvciB3aGF0IGl0IHJlcXVpcmVzLiBUaGF0J3Mgd2h5IE1T IHN0YXJ0ZWQNCj4gbG9ja2luZyBkb3duIHN5c3RlbSBmaWxlcy4gUGVvcGxlIHdvdWxkIGlu c3RhbGwgYW55IG9sZCB0aGluZyB3aXRoDQo+IG5vIHVuZGVyc3RhbmRpbmcgb2YgdmVyc2lv bnMgb3IgZGVwZW5kZW5jaWVzLiBFdmVuIE1pY3Jvc29mdCBoYXZlDQo+IGRvbmUgdGhhdC4g VGhlcmUgd2FzIGEgbm90YWJsZSBjYXNlIGF0IG9uZSB0aW1lIHdpdGggdGhlIHJpY2hlZGl0 DQo+IGxpYnJhcnkgdGhhdCdzIHVzZWQgaW4gV3JpdGUsIFdvcmRwYWQgYW5kIGEgbG90IG9m IDNyZC1wYXJ0eSBzb2Z0d2FyZS4NCj4gQXQgb25lIHRpbWUgdGhlcmUgd2VyZSAzIHZlcnNp b25zIHRoYXQgYWxsIGhhZCB0aGUgc2FtZSBmaWxlIG5hbWUNCj4gYW5kIHZlcnNpb24uIE9u bHkgdGhlIGZpbGUgc2l6ZSB2YXJpZWQhIEluc3RhbGxpbmcgdGhlIHdyb25nIG9uZSBjb3Vs ZA0KPiBtZXNzIHVwIGEgc3lzdGVtLiBWZXJ5IGZldyBkZXZlbG9wZXJzIGtub3cgYW55dGhp bmcgYWJvdXQgdGhvc2UNCj4gaXNzdWVzLiBUaGV5IGRlcGVuZCBvbiB0aGVpciBpbnN0YWxs ZXIgdG9vbHMgdG8gc29ydCBpdCBvdXQuDQo+IA0KPiAgwqAgSW50byB0aGF0IHNjZW5hcmlv IHRoZW4gY2FtZSB0aGUgaWRlYSBvZiBzcHl3YXJlIHRlbGVtZXRyeSBhcw0KPiByb3V0aW5l IGFuZCBjYWxsaW5nIGhvbWUgZm9yIGRyaXBmZWVkIHVwZGF0ZXMuIFlvdSBtaWdodCBoYXZl IGRvemVucw0KPiBvZiBwcm9ncmFtcyBydW5uaW5nIGRyaXBmZWVkIHVwZGF0ZXMgd2l0aG91 dCBhc2tpbmcuIFdoeT8gRXNwZWNpYWxseQ0KPiB3aXRoIGRyaXZlcnMuIFRoYXQncyBjcmF6 eS4gSWYgdGhlcmUncyBubyBwcm9ibGVtIHRoZW4gd2h5IGZpeCBpdD8NCj4gQmVjYXVzZSBp dCdzIHRoZSBsYXRlc3QgZmFkLiBJdCdzIHByZXBhcmluZyB0aGUgcHVibGljIGZvciByZW50 YWwgc29mdHdhcmUNCj4gYnkgdGFraW5nIGNvbnRyb2wgYXdheSBmcm9tIHRoZSBwZXJzb24g d2hvIGFjdHVhbGx5IHVzZXMgdGhlIHNvZnR3YXJlLg0KPiBJdCdzIGFsc28gc2F0aXNmeWlu ZyB0aGUgcG9wdWxhciBwcmVjb25jZXB0aW9uIHRoYXQgbmV3ZXIgaXMgYmV0dGVyIGFuZA0K PiBtb3JlIG5ld2VyIGlzIG1vcmUgYmV0dGVyLiBUaGF0J3MgaG93IHdlIGdvdCB0aGUgdG90 YWxseSBpbmRlZmVuc2libGUNCj4gaWRlYSBvZiBhZ2lsZSBwcm9ncmFtbWluZy4gTG9vayBh dCB0aGUgcGVvcGxlIGluIHRoZSBGaXJlZm94IG5ld3Nncm91cA0KPiB3aG8gY2FuJ3Qgd2Fp dCB0byBnZXQgdGhlIGxhdGVzdCB2ZXJzaW9uLiBXaHk/IFRoZXNlIGFyZSB0ZWNoLWxpdGVy YXRlDQo+IHBlb3BsZSwgeWV0IHRoZXkndmUgZmFsbGVuIGZvciB0aGUgaWRpb2N5IHRoYXQg YWxsIHNvZnR3YXJlIHNob3VsZCB1cGRhdGUNCj4gYXMgbXVjaCBhcyBwb3NzaWJsZS4NCj4g DQo+ICDCoCBVcGRhdGVzIHVzZWQgdG8gYmUgbWFpbmx5IHRvIGFkZCBuZXcgZmVhdHVyZXMu IFRlc3RpbmcgdXN1YWxseSByZXN1bHRlZA0KPiBpbiBzb2xpZCBzb2Z0d2FyZS4gRm9yIGV4 YW1wbGUsIEkgc3RpbGwgdXNlIFBhaW50IFNob3AgUHJvIDUgZnJvbSAxOTk5LiANCj4gVGhl cmUNCj4gd2FzIG9uZSB1cGRhdGUgNS4wMSBhbmQgSSB0aGluayB0aGVyZSB3YXMgYW4gdXBk YXRlIDUuMDMuIEFzIEkgcmVjYWxsIGl0DQo+IHdhcyB0byBkZWFsIHdpdGggc29tZSBpc3N1 ZSB3aXRoIFpJUCBkcml2ZXMuIEl0J3Mgc3RpbGwgc3RhYmxlIDI1IHllYXJzIA0KPiBsYXRl ci4NCj4gKEkgYWxzbyBoYXZlIFBTUCAxNiwgYnV0IHRoYXQncyBhIGJsb2F0ZWQgbWVzcyBw dXQgb3V0IGJ5IENvcmVsLCB3aXRoIG5vDQo+IG5vdGFibGUgaW1wcm92ZW1lbnRzLikNCj4g DQo+ICDCoCBXZSBkb24ndCBldmVuIGtub3cgd2hhdCdzIGNoYW5nZWQgaW4gdGhlIGxhdGVz dCB2ZXJzaW9uIG9mIG1vc3QNCj4gc29mdHdhcmUuIENvbmN1cnJlbnQgd2l0aCB0aGlzIHNl YXQtb2YtdGhlLXBhbnRzIG1hbmljIHVwZGF0aW5nIGhhcyBiZWVuDQo+IGEgdHJlbmQgdG8g b2JzY3VyZSB3aGF0LCBpZiBhbnl0aGluZywgaXMgaW4gdGhlIGxhdGVzdCB1cGRhdGUuIEkg cGVyc29uYWxseQ0KPiBhdm9pZCB1cGRhdGluZyBhbnl0aGluZyB1bnRpbCB0aGVyZSdzIGJl ZW4gdGltZSBmb3IgcmV2aWV3cyBhbmQgaW5mby4gTW9zdA0KPiBiaWcgY29ycG9yYXRpb25z IGRvIHRoZSBzYW1lLiBUaGV5IHRlc3Qgb3V0IHVwZGF0ZXMgYmVmb3JlIGluc3RhbGxpbmcg DQo+IGFjcm9zcw0KPiB0aGUgImZsZWV0IiBvZiBjb21wdXRlcnMuIFNPSG8gdXNlcnMgYXJl IG5vdyBzZXJ2aW5nIGFzIHVucGFpZCBiZXRhIA0KPiB0ZXN0ZXJzLCBlZmZlY3RpdmVseSB1 bmFibGUgdG8gc3RvcCBXaW5kb3dzIGRyaXBmZWVkIHVwZGF0ZXMgYW5kIGxhcmdlbHkgDQo+ IHVuYXdhcmUgb2YNCj4gM3JkLXBhcnR5IHVwZGF0ZXMuDQo+IA0KPiAgwqAgTG9uZyBzdG9y eSBzaG9ydCwgaWYgeW91J3JlIG5vdCB1c2luZyBhIGZpcmV3YWxsIGFuZCBibG9ja2luZyBh bGwgDQo+IHRoaXMgdHJhZmZpYywNCj4gZGlzYWJsaW5nIHVwZGF0ZXMgdGhhdCB5b3UgaGF2 ZW4ndCBzcGVjaWZpY2FsbHkgbmVlZGVkIGFuZCBpbnN0aWdhdGVkLCB0aGVuDQo+IHlvdXIg Y29tcHV0ZXIgcHJvYmFibHkgaGFzIGFsbCBzb3J0cyBvZiBlbnRpdGllcyBjb21pbmcgYW5k IGdvaW5nIC0tIA0KPiBzcHlpbmcsDQo+IGluc3RhbGxpbmcgdXBkYXRlcywgZXRjLCB3aXRo b3V0IHRlbGxpbmcgeW91LiBCdXQgdGhlIGFpcmxpbmUgSVQgcGVvcGxlIA0KPiBzaG91bGQN Cj4gaGF2ZSBrbm93biBiZXR0ZXIuDQo+IA0KPiAgwqAgQ29taWNhbGx5LCBJIHdhcyByZWFk aW5nIHRoYXQgU291dGh3ZXN0IGVzY2FwZWQgdGhlIHByb2JsZW1zIGJlY2F1c2UNCj4gdGhl eSdyZSBzdGlsbCBydW5uaW5nIGEgY29tYmluYXRpb24gb2YgV2luIDMuMSBhbmQgOTUuIDop DQo+IA0KDQpJJ3ZlIHJlYWQgbG90cyBvZiBwZW9wbGUgY3JpdGljaXNpbmcgIlRoZXkgc2hv dWxkbid0IGhhdmUgYWxsb3dlZCANCmF1dG9tYXRpYyB1cGRhdGVzOyB0aGV5IGNlcnRhaW5s eSBzaG91bGRuJ3QgaGF2ZSBhbGxvd2VkIGRyaXZlciB1cGRhdGVzIi4NCkJ1dCB3aGF0IGlm IGJvdGggb2YgdGhvc2Ugd2VyZSBpbiB0aGUgbmVnYXRpdmU7IGFuZCBzYXZ2eSBwZW9wbGUg bG9va2VkIA0KYXQgdGhlIHVwZGF0ZSBsaXN0LCBzYXcgb25lIGZyb20gYSByZXNwZWN0ZWQg c2VjdXJpdHkgY28uIHJlbGV2YW50IHRvIA0KdGhlaXIgc3lzdGVtcywgYW5kIGp1c3Qgc2lt cGx5IHRpY2tlZCAiaW5zdGFsbCIuIFRoYXQncyBhIHJlc3BvbnNpYmxlIA0KYXBwcm9hY2gu IFdoYXQgc2hvdWxkIHRoZXkgaGF2ZSBkb25lIG90aGVyIHRoYW4gdGhhdCwgd2hlbiBzbyBt YW55IA0KZXhwZXJ0cyBhcmUgY29uc3RhbnRseSBiYXR0ZXJpbmcgaW50byB0aGVpciBlYXJz ICJJbnN0YWxsIHVwZGF0ZXMiPw0KQSBwb3NzaWJsZSBvdXRjb21lIGNvdWxkIGhhdmUgYmVl biB0aGF0IGp1c3QgaG91cnMgYWZ0ZXIgTk9UIGluc3RhbGxpbmcgDQp0aGUgdXBkYXRlIHRo ZWlyIHN5c3RlbXMgd2VyZSBpbmZpbHRyYXRlZCBhbmQgY29tcHJvbWlzZWQuIEFuZCB0aGVu IHRoZSANCm11c2ljIHdvdWxkIGhhdmUgYmVlbiBkaWZmZXJlbnQ7ICJZb3Ugc2hvdWxkIGhh dmUgZG9uZSBpdCwgeW91IHNob3VsZCANCmhhdmUgZG9uZSBpdCIuDQoNClNvbWUgcG9vciBz YXAgb2YgYSBwcm9ncmFtbWVyIHdvcmtpbmcgZm9yIENsb3Vkc3RyaWtlIHdpbGwgaGF2ZSB0 YWtlbiANCnRoZSBmYWxsIGZvciB0aGlzLiBCdXQgaGUgaGFkIGFuIG9wZW4gZG9vcndheSBp bnRvIFdpbmRvd3MsIGFsbG93ZWQgYnkgDQpoaXMgc3VwZXJpb3JzIGFuZCB3b2UgYmV0aWRl IGhpbSBpZiBoZSBkaWRuJ3QgZG8gaXQuDQoNCkVkDQoNCg0KDQo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 4:47 PM, ...winston wrote:

It really much simpler than all that's being discussed.

Crowdstrike made their device driver files ‘required for boot’, to prevent any external process from doing what people are describing and/or now trying to do.

Yes, the "required for boot" adds an element of difficulty
for removal and recovery.

But the "punching holes in WHQL", what can I say ?

We have to make tough choices sometimes.

Which is worse ? A machine dropped by a blackhat, or
a machine dropped by a whitehat ? This is the
choice we're making. Or being asked to make.

And notice when a whitehat makes a mistake, the
multiplier effect is huge.

It's easier when it is a single vendor, because
the objectives are laser-sharp.

"I don't test very often, but when I do, I test in Production" :-)

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 1:04 PM, Andy Burns wrote:

Newyana2 wrote:

Notable in all this is that all these failed
computers were set up to allow CrowdStrike to do as they liked
without notice. Why are regular driver updates required? What sort
of IT people are allowing this and why aren't they being looked at?

if you want to catch 0-day malware, you can't wait a week while your IT
dept test definition updates several times per day

They're not going to catch o-days by definition. Of course there's
something to be said for frequent AV updates, but there are also
problems. The whole idea of virus definitions is out of date. And none
of that explains why anyone is allowing a system-critical driver to be
updated automatically.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 6:57 PM, Paul wrote:

"I don't test very often, but when I do, I test in Production" :-)

I hadn't realized how reckless software development has become.
Agile programming. Testing in production. TIP should be what focus
groups are for, BEFORE the code is written. Yet I see both methods propagandized as the latest improvement in software. It's seems to
be basically Zuck's MO: Move fast and break things. There's an
interesting philosophical preconception embedded in that thinking,
which is the assumption that new is by definition better. Whatever the
product is, it must be changed and it must be changed soon, as a
matter of principle. Change masquerading as quality control.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 2:03 PM, Ed Cryer wrote:

Newyana2 wrote:

On 7/22/2024 10:57 AM, Ed Cryer wrote:

3. Question; how many other companies have similar privileged access?

�� Anyone who you allow. Notable in all this is that all these failed
computers were set up to allow CrowdStrike to do as they liked
without notice. Why are regular driver updates required? What sort
of IT people are allowing this and why aren't they being looked at?

�� Microsoft and others have also caused big problems in the past.
Maybe not so clearly obvious in terms of commercial products
like airlines failing, but buggy updates are nothing new.

�� You might be surprised at how many developers have no idea
how their software runs or what it requires. That's why MS started
locking down system files. People would install any old thing with
no understanding of versions or dependencies. Even Microsoft have
done that. There was a notable case at one time with the richedit
library that's used in Write, Wordpad and a lot of 3rd-party software.
At one time there were 3 versions that all had the same file name
and version. Only the file size varied! Installing the wrong one could
mess up a system. Very few developers know anything about those
issues. They depend on their installer tools to sort it out.

�� Into that scenario then came the idea of spyware telemetry as
routine and calling home for dripfeed updates. You might have dozens
of programs running dripfeed updates without asking. Why? Especially
with drivers. That's crazy. If there's no problem then why fix it?
Because it's the latest fad. It's preparing the public for rental
software
by taking control away from the person who actually uses the software.
It's also satisfying the popular preconception that newer is better and
more newer is more better. That's how we got the totally indefensible
idea of agile programming. Look at the people in the Firefox newsgroup
who can't wait to get the latest version. Why? These are tech-literate
people, yet they've fallen for the idiocy that all software should update
as much as possible.

�� Updates used to be mainly to add new features. Testing usually
resulted
in solid software. For example, I still use Paint Shop Pro 5 from
1999. There
was one update 5.01 and I think there was an update 5.03. As I recall it
was to deal with some issue with ZIP drives. It's still stable 25
years later.
(I also have PSP 16, but that's a bloated mess put out by Corel, with no
notable improvements.)

�� We don't even know what's changed in the latest version of most
software. Concurrent with this seat-of-the-pants manic updating has been
a trend to obscure what, if anything, is in the latest update. I
personally
avoid updating anything until there's been time for reviews and info.
Most
big corporations do the same. They test out updates before installing
across
the "fleet" of computers. SOHo users are now serving as unpaid beta
testers, effectively unable to stop Windows dripfeed updates and
largely unaware of
3rd-party updates.

�� Long story short, if you're not using a firewall and blocking all
this traffic,
disabling updates that you haven't specifically needed and instigated,
then
your computer probably has all sorts of entities coming and going --
spying,
installing updates, etc, without telling you. But the airline IT
people should
have known better.

�� Comically, I was reading that Southwest escaped the problems because
they're still running a combination of Win 3.1 and 95. :)

I've read lots of people criticising "They shouldn't have allowed
automatic updates; they certainly shouldn't have allowed driver updates".
But what if both of those were in the negative; and savvy people looked
at the update list, saw one from a respected security co. relevant to
their systems, and just simply ticked "install". That's a responsible approach. What should they have done other than that, when so many
experts are constantly battering into their ears "Install updates"?
A possible outcome could have been that just hours after NOT installing
the update their systems were infiltrated and compromised.

Extremely unlikely. Especially in the case of a driver. Drivers
are not malware definitions. The standard protocol is to find out
what an update is for, decide whether it's needed, then test it out.
That's what IT people typically do with Windows updates. That's
why "enterprise" licensees don't have to accept Windows updates...
because they know better than to be unpaid beta testers. It's even
more important with drivers. There should be a good reason and good
testing before that's rolled out to thousands of computers.

None of this seems to have had anything to do with critical security updates. Anything like that would have involved a CVE security notice
and mitigation advice. IT people are watching for such things.

This was just people who should know better,
letting a third party send whatever they liked down the pipe. The
fact that there was a bug is not a big shocker. Bugs happen. The
shocker is that no one on either end was thoroughly testing before
rolling out the update.

Companies like Delta have only themselves to blame. Why were their
IT people letting 3rd parties manage their computers?

Some poor sap of a programmer working for Cloudstrike will have taken
the fall for this. But he had an open doorway into Windows, allowed by
his superiors and woe betide him if he didn't do it.

Yes. Good point. The people at CS should have tested better, but
it's nuts that they have sole responsibility to oversee the integrity of customer computers. It's like letting my router or display driver update
willy nilly, without any important reason to do so. Except that it's much
worse because these computers were critical to keeping planes flying
and hospitals functioning.

I'm amazed that people in tech don't see this problem. I seem to
remember a case awhile back where Tesla's were getting a bad update.
Tesla sends out dripfeed updates leaving drivers out of the loop.
I'd be scared to even get into one of those cars. What if an update
messed up the brakes? But most people seem to be so starry eyed
about living like George Jetson that they just don't imagine that
there could be problems. Probably this problem will get a scapegoat,
as you said, and no one will learn a lesson from it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On Mon, 22 Jul 2024 19:03:53 +0100, Ed Cryer <ed@somewhere.in.the.uk>
wrote:

Some poor sap of a programmer working for Cloudstrike will have taken
the fall for this. But he had an open doorway into Windows, allowed by
his superiors and woe betide him if he didn't do it.

But surely that poor sap of a programmer, or someone else at
Crowdstrike, was responsible for testing it before it went out?


--
Steve Hayes from Tshwane, South Africa
Web: http://www.khanya.org.za/stevesig.htm
Blog: http://khanya.wordpress.com
E-mail - see web page, or parse: shayes at dunelm full stop org full stop uk

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 8:38 PM, Newyana2 wrote:

On 7/22/2024 6:57 PM, Paul wrote:

"I don't test very often, but when I do, I test in Production" :-)

��� I hadn't realized how reckless software development has become.
Agile programming. Testing in production. TIP should be what focus
groups are for, BEFORE the code is written. Yet I see both methods propagandized as the latest improvement in software. It's seems to
be basically Zuck's MO: Move fast and break things. There's an
interesting philosophical preconception embedded in that thinking,
which is the assumption that new is by definition better. Whatever the product is, it must be changed and it must be changed soon, as a
matter of principle. Change masquerading as quality control.

You can get a T-shirt with that on it. It's a little joke.

"the most interesting man in the world!
and his real name is Jonathan Goldsmith"

"the Most Interesting Man was selling Dos Equis beer"

"He went on to do ads for Astral Tequila and Stella Artois."

The picture used, may have been intended to
promote some beverage. But the meme reuses it
to make fun of TIP.

I think the expression in my group might have been
"Well, just throw it over the fence". That's how much
test you need, you see. Throw it over the fence.
Someone elses problem. And the looks on the faces of
some of the software staff, you could tell they weren't happy
with this cowboy-shit. Only one guy really-really
enjoyed himself.

The managers also had a thing called "lessons learned".
They kept project histories. And if you were to try
something like TIP, there would be an analysis later,
charts and graphs, as to whether the idea had merit
when you subtracted the disadvantages from the advantages.
And we would receive a lecture on the topic, so that
it became corporate culture. If later, you were promoted
to management, you would recollect the "lessons learned"
on a topic, if the issue ever came up again. And the failures
get as much topical coverage, as the successes. It wasn't
a matter of blowing smoke or a P.R. campaign. This
was for internal consumption, and even if the manager
who ran the TIP program left the company, someone
would remember. I don't know how they found the time for that,
but apparently, they did.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 23/07/2024 01:03, Newyana2 wrote:

none
of that explains why anyone is allowing a system-critical driver to be updated automatically.

It's not the driver being updated, it's definition files used by the
driver, and which it apparently doesn't validate well enough, since the definitions can segfault the driver.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 10:53 PM, Steve Hayes wrote:

On Mon, 22 Jul 2024 19:03:53 +0100, Ed Cryer <ed@somewhere.in.the.uk>
wrote:

Some poor sap of a programmer working for Cloudstrike will have taken
the fall for this. But he had an open doorway into Windows, allowed by
his superiors and woe betide him if he didn't do it.

But surely that poor sap of a programmer, or someone else at
Crowdstrike, was responsible for testing it before it went out?

This is a process problem.

And some managers did this.

Firing a programmer does not fix this.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/22/2024 8:03 PM, Newyana2 wrote:

On 7/22/2024 1:04 PM, Andy Burns wrote:

Newyana2 wrote:

Notable in all this is that all these failed
computers were set up to allow CrowdStrike to do as they liked
without notice. Why are regular driver updates required? What sort
of IT people are allowing this and why aren't they being looked at?

if you want to catch 0-day malware, you can't wait a week while your IT dept test definition updates several times per day

� They're not going to catch o-days by definition. Of course there's something to be said for frequent AV updates, but there are also
problems. The whole idea of virus definitions is out of date. And none
of that explains why anyone is allowing a system-critical driver to be updated automatically.

It needs to be tested.

Just for the record, I tested the shit outta stuff at work,
and what I learned, is you can't test quality into something.
Not on computers. Test is a crutch. Test is nice. But test
is not an answer. You can spend a buck fifty on it, or you
can spend ten billion, and the results are the same. For
ten billion, you get a T-shirt.

If you design quality into something, make it so "it can't fail",
that happens to be "cheaper than test". For example, one of
our engineers, the only engineer at work to wear a suit (!!!),
he had a bench in the lab all to himself, and there was a
computer he designed running long term test. It had the
"don't touch" sheet of typing paper taped to it, and it
was doing a long term stability test (it ran for at least a year).
But really, let's be honest, it was a "my shit doesn't stink" statue.
And I thought that was pretty cool. It never occurred to me to build
a statue like that. Because "my shit stinks, when it needs to stink".
And this is why we test. I never trust hardware enough, to build
a statue from it.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/23/2024 6:57 AM, Andy Burns wrote:

On 23/07/2024 01:03, Newyana2 wrote:

none
of that explains why anyone is allowing a system-critical driver to be
updated automatically.

It's not the driver being updated, it's definition files used by the
driver, and which it apparently doesn't validate well enough, since the definitions can segfault the driver.

It seems that neither is completely true:

____________________________

https://www.wired.com/story/crowdstrike-outage-update-windows/

The update was specifically aimed at changing how Falcon inspects �named
pipes� in Windows, a feature that allows software to send data between processes on the same machine or with other computers on the local
network. CrowdStrike says the configuration file update was aimed at
allowing Falcon to catch a new method that hackers were using for
communication between their malware on victim machines and
command-and-control servers. CrowdStrike says the configuration file
update was aimed at allowing Falcon to catch a new method that hackers
were using for communication between their malware on victim machines
and command-and-control servers. �The configuration update triggered a
logic error that resulted in an operating system crash,� the post reads.

Security and IT analysts searching for the root cause of the gargantuan
outage had initially thought that it must be related to a �kernel
driver� update to CrowdStrike�s Falcon software, due in part to the fact
that the file that caused the crash ended in .sys, the file extension
kernel drivers use.
_________________________________

So it's neither a driver nor virus definitions. Why did they call a
config
file .sys? And what does it mean to say a config file is determining API
calls? Who knows. Sounds to me like they're fibbing about something.

Either way, it was a change that was able to
take down the system. We can only guess that there was little or
no testing. I don't see how any of this is a defense of allowing dripfeed updates, especially in these days of manic, seat-of-the-pants updates.

The only recent update I've allowed was Android on my cellphone.
I allowed it by accident while intending to dismiss the constantly
nagging prompt. Now I wish I could reverse it. The phone still works,
but I get dozens of popups telling me to enable Google crap, that
didn't used to be there. The popups cover the top of the screen, making
it difficult to get to the phone icon to make a phonecall. All I need it
for is occasional phone calls, and now it can't even do that right.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/23/2024 8:00 AM, Paul wrote:

On 7/22/2024 8:03 PM, Newyana2 wrote:

On 7/22/2024 1:04 PM, Andy Burns wrote:

Newyana2 wrote:

Notable in all this is that all these failed
computers were set up to allow CrowdStrike to do as they liked
without notice. Why are regular driver updates required? What sort
of IT people are allowing this and why aren't they being looked at?

if you want to catch 0-day malware, you can't wait a week while your IT dept test definition updates several times per day

� They're not going to catch o-days by definition. Of course there's
something to be said for frequent AV updates, but there are also
problems. The whole idea of virus definitions is out of date. And none
of that explains why anyone is allowing a system-critical driver to be
updated automatically.

It needs to be tested.

Just for the record, I tested the shit outta stuff at work,
and what I learned, is you can't test quality into something.
Not on computers. Test is a crutch. Test is nice. But test
is not an answer. You can spend a buck fifty on it, or you
can spend ten billion, and the results are the same. For
ten billion, you get a T-shirt.

If you design quality into something, make it so "it can't fail",
that happens to be "cheaper than test". For example, one of
our engineers, the only engineer at work to wear a suit (!!!),
he had a bench in the lab all to himself, and there was a
computer he designed running long term test. It had the
"don't touch" sheet of typing paper taped to it, and it
was doing a long term stability test (it ran for at least a year).
But really, let's be honest, it was a "my shit doesn't stink" statue.
And I thought that was pretty cool. It never occurred to me to build
a statue like that. Because "my shit stinks, when it needs to stink".
And this is why we test. I never trust hardware enough, to build
a statue from it.

Paul

So what's happened to testers? Do they still get work? I have
a friend who's retired from testing. It was good pay and considered
highly skilled. Then she got a nursing degree and ended up testing
medical software. This was fulltime work, making sure that even
hitting Ctrl+A+B didn't do something unexpected.

According to the Wired article, Crowdstrike was changing core
API code for dealing with named pipes, claiming it was a config
file. Sounds to me like some kind of library. Whatever it was, doesn't
that sound like zero testing? I can imagine someone who hadn't
yet really woken up, hastily making one of those faulty logic moves
at the last minute, editing the file just before shipping.

Like when you shout
your coffee order, saying, "No, make it a toffee double latte", and
you're not sufficiently awake to realize that the person doing
the coffee run won't know that's a joke. That mental process is
too abstract for first thing in the morning. So you end up with a
giant, foamy, warm, caramel milkshake instead of coffee.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

Newyana2 wrote:

what does it mean to say a config file is determining API
calls? Who knows.

Some form of p-code?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/23/2024 8:44 AM, Andy Burns wrote:

Newyana2 wrote:

what does it mean to say a config file is determining API
calls? Who knows.

Some form of p-code?

I would guess so.

The interpreter was not changed (the part that is WHQL tested and signed).

But new p-code was sent out, packaged in those numbered files.

And something the p-code did, had an unintended side effect.

What you're asking, is for a third-party company, to understand
the inner workings of the OS, as well as the company who wrote it
does. And while some things in the OS are documented, the *defects*
in that implementation, developers learn of that via reverse-engineering.

Which is not an ideal way to be working.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: alt.comp.os.windows-11

On 7/23/2024 9:30 PM, ...winston wrote:

For this group, for the most part its just complaining about someone elses predicament. Even though true, few, if any at all, were impacted.

I think the concern being expressed, is the notion of "willing compromise".

People want to understand the value proposition of what they run.
Is it water tight ? Is it loosey-goosey ? They want to understand
what risks they are taking. I think it's only reasonable to want
to learn what attack surfaces and holes a product *might* have.
Things done, without telling you.

You will notice, that the audience does not even have a drawing
to refer to, showing Ring3 and Ring0, so they can understand
where the kernel is, and what a kernel would normally do.

While a diagram was provided for the inverted Hypervisor "Hyper-V",
the diagram has not been updated to inform the community what
is under the hood. For example, the system has a sand box. Say
for example, a user was interested in the topic. Maybe they
would engage the setting that turns it on, if they had a diagram
showing where it was, and what it proposes to do.

The information Microsoft releases, does not have the be Technical Note TN material. But it should be at least a tiny bit evangelical, by visually promoting features to at least make people curious.

When you invent something called Robust NTFS, why would you not
explain that ?

I don't know how many people noticed, but Task Manager is no longer a "perfectly accurate" measure of what is going on. Sometimes there is
a large difference, between the numbers in Task Manager, and what is
actually happening. This is one of the reasons a Kill-O-Watt meter
is connected to my daily driver. You can't fool my power meter :-/

This is one reason, when I make diagrams now, I might use Process Explorer
from Sysinternals. It has two digits after the decimal point for task
activity, which beats the hell out of Task Manager showing "0" for the
thing in question. I hate "0" when something is not "0".

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)