Global BSOD

Last edited:
Raiden85 said:
Microsoft just say sod the EU agreement and block kernel access again anyway.
Click to expand...

Yes, it's a great thing if private companies ignore the law!

This situation could have been avoided if the EU didn't shove it's nose into things.
Click to expand...

Preventing the establishment of monopolies is a vital part of the state's role in maintaining functioning markets. The EU has been very strong on this, much to the benefit of everyone; they may not have got the detail of every decision but they've definitely had a positive impact overall.
 
Moley said:
OS's that aren't immune to crashing caused by EDRs you mean? https://www.neowin.net/news/crowdstrike-broke-debian-and-rocky-linux-months-ago-but-no-one-noticed/
Click to expand...
EDRs APIs shouldn't cause crashes, an Endpoint Detection and Response API should provide documented, safe, secure, ways of accessing low-level kernel functions, if a particular spin of Linux don't provide such a kernel that's their problem.

Unlike Apple and MS the Linux kernel is open source, that means anyone can write anything they want to interact with it in anyway they want, that why you don't grant programs root privileges unless you either trust it implicitly or know exactly what it's doing.
 
Last edited:
n111ck said:
Which bit of MS’s assessment do you disagree with?
Click to expand...
None because they didn't mention that they could've written an EDR API so there was a documented, safe, secure, ways of accessing low-level kernel functions needed for Endpoint Detection and Response. (vs what they seem to be implying they did and open up most, all of, the low level kernel functions)

MS's statement is a lie by omission.
 
Last edited:
Can't beat YOLO patches on a Friday.

MS needs to tell the EU to jog on. What are they going to do, remove windows from all their systems?
 
Last edited:
Moley said:
OS's that aren't immune to crashing caused by EDRs you mean? https://www.neowin.net/news/crowdstrike-broke-debian-and-rocky-linux-months-ago-but-no-one-noticed/
Click to expand...

You mean two distros of effectively the same OS, of which there are nearly 1000 different distros?... and yep it's broke it before but nobody noticed because the install base where it matters is like 10 machines globally... if Linux wasn't a complete cluster with a 1000 distros nobody asked for, people might actually use it.

Shakes fist at Linux for being, well, Linux

An ERD api sounds a solid route to deal with these sorts of things mind... the whole model with how crowdstrike works seems fundamentally flawed... I had actually queued up a meeting with them to have a look at this "best in breed" solution! I guess I'll probably give that one a miss.
 
Last edited:
Vince said:
An ERD api sounds a solid route to deal with these sorts of things mind
Click to expand...
It's what they did with Windows drivers. It used to be a free-for-all with third party drivers until MS wrote a secure, safe, way for drivers to interact with the kernel.

They should've written an API for EDR's but it seems they either didn't bother or the API is allowing EDR's to do something that brings down the OS.
 
SupraWez said:
Disruptive rather than destructive, but anyone interested in causing mass disruption would be looking at this and thinking, all we need to do is force PCs to recovery mode.

Imagine if this happened to all Windows PCs, not just those with CrowdStrike installed, the disruption would be far far worse :)
Click to expand...
Agreed, although it likely also did cause some destruction given the systems that it was running. Especially if it shut off any devices running any kind of database.
 
Last edited:
Vince said:
You mean two distros of effectively the same OS, of which there are nearly 1000 different distros?... and yep it's broke it before but nobody noticed because the install base where it matters is like 10 machines globally... if Linux wasn't a complete cluster with a 1000 distros nobody asked for, people might actually use it.

Shakes fist at Linux for being, well, Linux

An ERD api sounds a solid route to deal with these sorts of things mind... the whole model with how crowdstrike works seems fundamentally flawed... I had actually queued up a meeting with them to have a look at this "best in breed" solution! I guess I'll probably give that one a miss.
Click to expand...
Maybe i'm misunderstanding something here but I thought linux as quite popular in the server space or has that changed?
 
Chuk_Chuk said:
Maybe i'm misunderstanding something here but I thought linux as quite popular in the server space or has that changed?
Click to expand...

It prevalent in the dc at scale but a lot of the dc's that I visit will be using custom distros or stuff they have built themselves. The big hyperscalrs will generally be rocking custom stuff. Also at a dc level you are running virtual on the metal and end points will be virtual. Generally on top of this you have access to the machine at boot via stuff like iLO and other management ports. What I'm saying is yes, but not in a way that would be affected by almost all, if not all EDR solutions.

Actually thinking about this there is an exception... darktrace, specifically the dark trace appliance which operates in the network stack and has the ability if configured correctly to block traffic. You would need their antigena product for it to do this... but as an ex darktrace customer I can assure you that none of these solutions are infalable.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom