Crowdstrike takes out last remaining threat vector (the users)
Crowdstrike takes out last remaining threat vector (the users)
Attached: 1 image This is fitting. The top topic on Xitter right now is of course the global Crowdstrike/Windows clusterfuck. But the AI summary of the discussion is hilarious, b/c it summarizes a bunch of sarcastic posts and makes it sound like a positive (or at least can-do) story.
The machines, now inaccessible, are arguably more secure than before.
Zach Vorhies (who made leaking Google stuff to Project Veritas his entire identity) has the worst possible take: https://twitter.com/Perpetualmaniac/status/1814405221738786984 (lemme gather my thoughts and explain why in the next comment)
Fair warning that I'll be ranty because I hate losers talking about DEI hires.
So why is memory address 0x9c trying to be read from? Well because... programmer error.
So what happened is that the programmer forgot to check that the object it's working with isn't valid, it tried to access one of the objects member variables...
This is a huge assumption.
The last rumor I've read from actual cybersecurity people is that Crowdstrike's update files were corrupt(update: disproven by Crowdstrike's blog post). If this is true it's likely still from programmer error at some level, but maybe not as simple as "whoopsie I forgot anif (data == nullptr)teehee".He, like the rest of us that don't work at Crowdstrike, has no idea what happened. I have seen computers do the weirdest gosh darn things. I know better than to assume anything at this point. I wouldn't even rule out weird stuff like the data getting corrupted between release qualification and release yet.
It turns out that C++, the language crowdstrike is using, likes to use address 0x0 as a special value to mean "there's nothing here", don't try to access it or you'll die.
This thread is full of these sorts of small technical inaccuracies and oversimplifications so I won't point out all of them, but nothing in the C++ standard requires null pointers to refer to memory address 0x0. Nor does it require that dereferencing a null pointer terminates the program.
Windows died not because C++ asked it nicely to, but because a driver tried to access an address which wasn't paged in.
Crowdstrike should have set up automated testing using address sanitizer and thread sanitizer that runs on every code update.
The funny thing about accessing into non-paged memory in kernel space:
- It will crash regardless of if it's running under Asan or not, sanitizers are literally irrelevant based on what we know so far
- The Asan version he linked to is for user-space. In the windows kernel you'd need KASAN instead.
(If this was a simple nullptr dereference on bad input data then perhaps a fuzzer would have helped. Fuzzers are great though I have no idea how hard they are to use with kernel drivers)
C++ is hard. Maybe they have a DEI engineer that did this
Dude would probably call me a "DEI hire"; but I bet I could beat him in a C++ deathmatch so neener neener.
Also, and this shouldn't be left unsaid, we're talking about the Windows kernel here. A place with C++ code so cursed it is legendarily unhealthy to work in, as the cosmic horrors contained within slowly eat away at your sanity and warp the perception of time and space. Seeing that code for a few hours is enough to make a grown man cry. Seeing that code for a few weeks is enough to make you never cry again, as the terrible truth worms its way into your mind.
"DEI hire", hah! The creature makes no distinction for race or gender as it fattens itself upon your failure! Even a glimpse at the edge of its abyss is enough to trigger a cycle of revelation - all modern software lies upon a rotting pile of ancient mistakes.
Mention C (and to an extent C++) and turbo nerds froth to show off how ultra cool they are cause they are LoW lEvEl programmers. But like most things, these loud freaks are mostly incoherent with their random insertion of tech words. Putting aside the DEI stuff cause I will rant forever against this racist and sexist fuckwit, it’s massively annoying working in an industry and dummies love to be all hand wavy and suggest something like sanitizers. Thanks bro, let’s all add runtime sanitizers and watch perf tank in the most critical section of your computer. And as you pointed out he doesn’t even mention the right one.
Next time Crowdstrike should just have an if check all registers after every instruction to make sure their values are within your address space! And and and make sure a woman doesn’t program it cause according to him they are exempt from code reviews cause of the left agenda or some bullshit
As someone who is still confused why C++ is different from a B-, thank you for your sacrifice in wading through that nonsense.
@sailor_sega_saturn And given enough time and enough scale even the most improbably weird things will eventually happen. Update file corrupted by a storage controller that flips a couple of bits at random after every 720 hours of uptime but only if it’s 23.682 seconds after the hour? Weirder shit has happened.
(update: disproven by Crowdstrike’s blog post).
How do you mean? The current top post on the blog seems to mention .sys files as part of the problem very prominently.
Channel file "C-00000291*.sys" with timestamp of 0527 UTC or later is the reverted (good) version. Channel file "C-00000291*.sys" with timestamp of 0409 UTC is the problematic version.
@sailor_sega_saturn You're a removed?!
Amazing that the twitter shitposts themselves also are so similar that I think they might be LLM written.
I was going to guess their "last remaining threat vector" was their quality assurance team.