this post was submitted on 19 Jul 2024
1 points (100.0% liked)

Technology

59566 readers
4696 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
L4s@lemmy.world
L3s@fry.gs
L4s@fry.gs
enu@lemmy.world
1
CrowdStrike downtime apparently caused by update that replaced a file with 42kb of zeroes (twiiit.com)
submitted 4 months ago* (last edited 4 months ago) by Aatube@kbin.melroy.org to c/technology@lemmy.world
186 comments fedilink hide all child comments
 

…according to a Twitter post by the Chief Informational Security Officer of Grand Canyon Education.

So, does anyone else find it odd that the file that caused everything CrowdStrike to freak out, C-00000291-
00000000-00000032.sys was 42KB of blank/null values, while the replacement file C-00000291-00000000-
00000.033.sys was 35KB and looked like a normal, if not obfuscated sys/.conf file?

Also, apparently CrowdStrike had at least 5 hours to work on the problem between the time it was discovered and the time it was fixed.

top 50 comments
sorted by: hot top controversial new old
[–] Gork@lemm.ee 0 points 4 months ago (5 children)

How can all of those zeroes cause a major OS crash?

[–] driving_crooner@lemmy.eco.br 0 points 4 months ago (2 children)

The file is used to store values to use as denominators on some divisions down the process. Being all zeros is caused a division by zero erro. Pretty rookie mistake, you should do IFERROR(;0) when using divisions to avoid thay.

[–] sugar_in_your_tea@sh.itjust.works 0 points 4 months ago (1 children)

I disagree. I'd rather things crash than silently succeed or change the computation. They should have done better input and output validation, and gracefully fail into a recoverable state that sends a message to an admin to correct. A divide by zero doesn't crash a system, it's a recoverable error they should 100% detect and handle, hot sweep under the rug.

[–] driving_crooner@lemmy.eco.br 0 points 4 months ago (1 children)

Life pro tip: if you're a python programmer you should use try: func() except: continue every time you run a function, that way ypu would never have errors on your code.

load more comments (1 replies)
load more comments (1 replies)
[–] urquell@lemm.ee 0 points 4 months ago (1 children)

Well, the file shouldn't be zeroes

load more comments (1 replies)
[–] tiramichu@lemm.ee 0 points 4 months ago (17 children)

If I send you on stage at the Olympic Games opening ceremony with a sealed envelope

And I say "This contains your script, just open it and read it"

And then when you open it, the script is blank

You're gonna freak out

[–] Imgonnatrythis@sh.itjust.works 0 points 4 months ago (2 children)

Maybe. But I'd like to think I'd just say something clever like, "says here that this year the pummel horse will be replaced by yours truly!"

[–] Takios@discuss.tchncs.de 0 points 4 months ago (16 children)

Problem is that software cannot deal with unexpected situations like a human brain can. Computers do exactly what a programmer tells it to do, nothing more nothing less. So if a situation arises that the programmer hasn't written code for, then there will be a crash.

load more comments (16 replies)
[–] Hazzia@infosec.pub 0 points 4 months ago (1 children)

I'm gonna take from this that we should have AI doing disaster recovery on all deployments. Tech CEO's have been hyping AI up so much, what could possibly go wrong?

load more comments (1 replies)
[–] sigmaklimgrindset@sopuli.xyz 0 points 4 months ago

Great layman's explanation.

[–] Gork@lemm.ee 0 points 4 months ago (1 children)

Ah, makes sense. I guess a driver would completely freak out if that file gave no instructions and was just like "..."

[–] PriorityMotif@lemmy.world 0 points 4 months ago (2 children)

You would think that Microsoft would implement some basic error handing.

[–] planish@sh.itjust.works 0 points 4 months ago (6 children)

That's what the BSOD is. It tries to bring the system back to a nice safe freshly-booted state where e.g. the fans are running and the GPU is not happily drawing several kilowatts and trying to catch fire.

load more comments (6 replies)
[–] Kaboom@reddthat.com 0 points 4 months ago

For most things, yes. But if someone were to compromise the file, stopping when they see it invalid is probably a good idea for security

load more comments (14 replies)
[–] MajinBlayze@lemmy.world 0 points 4 months ago (2 children)

Because it's supposed to be something else

[–] jared@mander.xyz 0 points 4 months ago (1 children)

At least a few 1's I imagine.

[–] Iheartcheese@lemmy.world 0 points 4 months ago (2 children)

What if we put in a 2

load more comments (1 replies)
[–] thurstylark@lemm.ee 0 points 4 months ago

Well, you see, the front fell off.

[–] LodeMike@lemmy.today 0 points 4 months ago

Windows

[–] diffusive@lemmy.world 0 points 4 months ago (7 children)

If I had to bet my money, a bad machine with corrupted memory pushed the file at a very final stage of the release.

The astonishing fact is that for a security software I would expect all files being verified against a signature (that would have prevented this issue and some kinds of attacks

[–] LodeMike@lemmy.today 0 points 4 months ago

Which is still unacceptable.

[–] jlh@lemmy.jlh.name 0 points 4 months ago (2 children)

Windows kernel drivers are signed by Microsoft. They must have rubber stamped this for this to go through, though.

[–] PythagreousTitties@lemm.ee 0 points 4 months ago (2 children)

What about the Mac and Linux PCs? Did Microsoft sign those too?

[–] Aatube@kbin.melroy.org 0 points 4 months ago

only the Windows version was affected

[–] jlh@lemmy.jlh.name 0 points 4 months ago (1 children)

Not sure about Mac, but on Linux, they're signed by the distro maintainer or with the computer's secure boot key.

https://wiki.ubuntu.com/UEFI/SecureBoot

[–] PythagreousTitties@lemm.ee 0 points 4 months ago (8 children)

So... Microsoft couldn't have "rubber-stamped" anything to do with the outage.

load more comments (8 replies)
[–] diffusive@lemmy.world 0 points 4 months ago (1 children)

This was not the driver, it was a config file or something read by the driver. Now having a driver in kernel space depending on a config on a regular path is another fuck up

[–] jlh@lemmy.jlh.name 0 points 4 months ago (2 children)

isn't .sys a driver?

load more comments (1 replies)
[–] LodeMike@lemmy.today 0 points 4 months ago

Which is still unacceptable.

[–] BossDj@lemm.ee 0 points 4 months ago (9 children)

So here's my uneducated question: Don't huge software companies like this usually do updates in "rollouts" to a small portion of users (companies) at a time?

load more comments (9 replies)
load more comments (3 replies)
[–] cupcakezealot@lemmy.blahaj.zone 0 points 4 months ago (6 children)

have they ruled out any possibility of a man in the middle attack by a foreign actor?

[–] simplejack@lemmy.world 0 points 4 months ago (1 children)

This was not a cyberattack.

https://www.crowdstrike.com/blog/statement-on-falcon-content-update-for-windows-hosts/

I guess they could be lying, but if they were lying, I don’t know if their argument of “we’re incompetent” is instilling more trust in them.

[–] xavier666@lemm.ee 0 points 4 months ago

"We are confident that only our engineers can fuck up so much, instead of our competitors"

[–] db2@lemmy.world 0 points 4 months ago

Or it being an intentional proof of concept

[–] Kazumara@discuss.tchncs.de 0 points 4 months ago* (last edited 4 months ago)

In the middle of the download path of all the machines that got the update?

[–] floofloof@lemmy.ca 0 points 4 months ago

The CEO made a statement to the effect of "It's not an attack, it's just me and my company being shockingly incompetent." He didn't use exactly those words but that was the gist.

load more comments (2 replies)
[–] independantiste@sh.itjust.works 0 points 4 months ago* (last edited 4 months ago) (30 children)

Every affected company should be extremely thankful that this was an accidental bug, because if crowdstrike gets hacked, it means the bad actors could basically ransom I don't know how many millions of computers overnight

Not to mention that crowdstrike will now be a massive target from hackers trying to do exactly this

[–] qprimed@lemmy.ml 0 points 4 months ago (2 children)

security as a service is about to cost the world a pretty penny.

[–] Telorand@reddthat.com 0 points 4 months ago (3 children)

You mean it's going to cost corporations a pretty penny. Which means they'll pass those "costs of operation" on to the rest of us. Fuck.

[–] qprimed@lemmy.ml 0 points 4 months ago* (last edited 4 months ago)

well, the world does include the rest of us.

and its not just opeerational costs. what happens when an outage lasts 3+ days and affects all communication and travel? thats another massive shock to the system.

they come faster and faster.

load more comments (2 replies)
[–] Manifish_Destiny@lemmy.world 0 points 4 months ago

Where's my fuckin raise

[–] Evotech@lemmy.world 0 points 4 months ago (4 children)

Don't Google solar winds

[–] peopleproblems@lemmy.world 0 points 4 months ago

Oooooooo this one again thank you for reminding me

load more comments (3 replies)
[–] Miaou@jlai.lu 0 points 4 months ago

I'd assume state (or other serious) actors already know about these companies.

load more comments (27 replies)
[–] EleventhHour@lemmy.world 0 points 4 months ago* (last edited 4 months ago) (2 children)

d'00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

load more comments (2 replies)
[–] bjoern_tantau@swg-empire.de 0 points 4 months ago (1 children)

Ah, a classic off by 43,008 zeroes error.

load more comments
view more: next ›