At the very minimum, I'd suggest waiting until you are actually working that 9-5 office job, before considering giving up your weekends. You may feel very different about things, once you are in that position.

My own situation is that I work generally 8-4 in a fully remote position. I like what I do and often spend my personal time reading and learning within the same field, just because I like that sort of thing. Even still, when the weekend starts, I have zero desire to go work somewhere else. I have a family I want to spend time with, hobbies I want to engage in, and just generally not be "on the clock". There is a lot more to life than work, go do that.

That said, if money is an issue, I can certainly understand the desire to work more. My income is high enough that I don't have to stress over money. So, the pressure to earn more just isn't there. Any extra income would either just be used to pay stuff off faster or go into savings. If you are in a position where money is a significant stressor, then the extra work may make sense. Some extra time with your nose to the grindstone now could pay dividends in the future.

Overall, I'm in the camp of not spending all your free time working. Work to live, don't live to work.

While this isn't likely to amount to anything, it is interesting to see Russia moving towards a negotiated end to the invasion. This war seems unlikely to end with a total loss for Russia, leaving two likely outcomes:

1. War fatigue takes over and Russia finally withdraws. Similar to how the Soviet-Afghan War ended. The downside of this is that, Russia may well be willing to keep fighting for a decade or longer. This is going to result in even more death and destruction in Ukraine. Though, this may also be the only path which results in a Ukraine which is again whole and free of Russian influence.
2. A negotiated cease-fire. This could take on a lot of forms. Everything from Russia fucking off to Ukraine as a puppet state. Though neither of those extremes seems likely at this point. And, at this point, I suspect both sides of the negotiation have red lines in their positions which are beyond the red lines of the other side. For example, Ukraine's position likely includes the return of all occupied territory in Eastern Ukraine. And any negotiated settlement which leaves those regions under Russian control is completely unacceptable. By contrast, Russia may consider any negotiated settlement that removes the Luhansk and Donetsk Oblasts from their control as completely unacceptable. The end result is that, no matter how much anyone talks about peace, neither side is willing to give up enough that the other side won't respond with a flat out, "no".

The question this sort of announcement brings up is: are Russia's red lines moving? While they may still be in the unacceptable region for Ukraine's negotiating position, it may signal that they are starting to shift. Maybe losing control of the Donetsk Oblast is no longer actually a red line and they would be willing to give up on that area entirely. Sure, that still leaves them well past the "complete territorial integrity" goal of Ukraine. But, it may also be that Ukraine's own red lines no longer extend quite as far in that direction as they used to.

And yes, morally, this is all kinda shit. The truly moral thing is for Russia to fuck right off and Putin to end up taking a swan dive from a fifth story window. But, ending wars often results in a lot of abandoned morals.

As much "doom and gloom" as the article pushes, I kinda feel that the compromised keys being well known makes detection easier. The malicious binary needs to be signed with one of these keys, this means that there will be very specific structures (e.g. the public key) at well known locations in the file. This is exactly the type of threat which anti-virus is good at detecting. Assuming a network's security folks aren't completely asleep at the switch, these attacks should get picked up and blocked pretty fast.

There is a reason attackers spend so much time and effort obfuscating code and keeping files off the disk. While A/V may be a pretty terrible security control and easily bypassed in many cases, watching for files with well known patterns is one of the few things A/V tends to do well.

The company says that files and file passwords uploaded to its servers will be deleted promptly after scanning, and all collected data will be used only to boost download protection for all Chrome users.

Right, and that Nigerian Prince really needs my help moving money.

Humans are pretty terrible and we'll find any excuse to justify our terribleness. One of the parts of the French Revolution was the Dechristianization of France. While this may sound like a good thing, which should lead people to live their lives based on reason, it also led to violence against priests. And the lack of religion did nothing to stop the Reign of Terror. In short, it was less an atheist utopia and more just humans finding different excuses to be terrible to one an other.

Similarly, the Soviet Union was founded on the Marxist principal that "religion is the opiate of the masses". This meant that the Soviet Union was officially athiest. However, unlike some of the French Revolutionary governments, the USSR largely tolerated religious practices. At the same time, the officially a theist state got up to a lot of horrible stuff.

At the same time, there is an argument to be made that Christianity helped reign in some of the worst excesses of monarchs during the Middle Ages. It's important to remember that people really believed this stuff. Kings really did think about their immortal soul and what they would be forced to answer for on "judgement day". Fear is a powerful motivator and it may be that, for all their terrible selfishness, some monarchs may have been led to moderate the worst of it based on that fear.

All that said, I'm not sure how much differently history would have played out, without religion. As I led with, humans are pretty terrible. Many wars may have had a religious veneer, to get the people to go along with them, but they were more often about power, control and ego than religious conviction. Religion provides a convenient excuse to define "the other". The othering of people creates a permission structure where we will not only tolerate, but often gleefully engage in, truly horrible acts against "the other". And it doesn't require religion to do it. Take a look around the Lemmyverse and you'll find videos of Russian soldiers being blown apart by drone dropped munitions. And the comment sections will be talking about how "they deserve it" or making jokes and light of another human being ripped apart. And these comments will be defended because of the horrible actions of the Russian Government and some Russian soldiers. Russian soldiers have been placed firmly in "the other" and so we can celebrate their horrible deaths, and be cheered on for it in many corners of Lemmy. No religion required.

So ya. I'm not a fan of religion, nor am I religious myself. But, I have no illusions that religion has a lock on people being terrible to each other. It has absolutely been involved in making it happen throughout history. But, I am skeptical of the idea that history without it wouldn't have been just as filled with humans doing terrible things to each other. Human nature tends towards tribalism and the creation of "in groups" and "out groups". With those in the former more than willing to do anything and everything to the latter.

It's getting Fark'd

So how about hacking CrowdStrike and obtaining that access? I’m guessing it might be easier than hacking Microsoft?

Maybe. CrowdStrike is a company which specializes in security and has some pretty smart folks in that area. They also live and die by the perceived value of their security products. So, security is pretty important to the company. Microsoft is a conglomerate, and while it does have some arms which specialize in (and are pretty good at) security, the company's continued existence doesn't depend on their performance. So, the Microsoft President can go in front of Congress and promise to do better, and we all know this is bullshit and Microsoft will continue to be Microsoft.

As for an attacker actually leveraging the CrowdStrike platform as part of an attack. It's entirely possible. Security products have been found to have vulnerabilities in the past. IIRC, McAfee's ePO server was vulnerable to Log4j. And given CrowdStrike's engine runs in Ring 0 on the endpoints, it's certainly an attractive target. Finding a Remote Code exploit in it seems like something an APT like the NSA or PLA Unit 61398 might get up to. That said, as I mentioned above, CrowdStike also employs a lot of smart folks and is likely doing it's level best to find those vulnerabilities first and fix them.

Are there other companies having the same access level as CrowdStrike? How vulnerable are they?

Ya. Really, any EDR or A/V product is going to run in Ring 0. And any such kernel level driver crashing is going to cause a BSOD. That's just the way Windows is designed. I have personally dealt with bad updates from several other products causing BSODs. Including one which brought down the entire site I was working at, at the time. I believe it also took down a number of other sites as well. Since, once I figure out how to get the bad update out of our system, the folks responsible for the update actually reached out and asked me what I did.

Ultimately, products like these exist in a very trusted state on systems, because they have to. if and when they crash, you can expect a BSOD. In this case, I suspect CrowdStrike is going to receive (and they deserve) a lot of shit for the way this one went down. The reporting I've seen states that the update file was just a mass of null bytes. And it seems there was no sanity checking or error handling for a corrupt update being pushed by CrowdStrike. I suspect that's gonna get fixed pretty quick, but it was a pretty bad oversight for a product with regular, live updates.

The question really starts before that. Yahweh is supposed to be "omnipotent" or "all powerful". So, why was The Christ necessary at all? If Yahweh could shape reality just by saying things and they became real, couldn't he just say "I forgive you" and "Original Sin" would be forgiven?
So either Yahweh isn't all powerful and there is some greater power to which he is subservient; or, Yahweh just wanted to dip his dick in an unwilling woman to create his son/self to torture to death. All hail Yahweh!

Constantly, unfortunately.
I work in Cyber Security and you can't swing a Cat-5 'o Nine Tails without hitting some vendor talking up the "AI tools" in their products. Some of them are kinda OK. Mostly, this is language models providing relevant documentation or code snippets, stuff which was previously found by a bit of googling. The problem is that AI has been stuffed into network and system analysis, looking for anomalous activity. And every single one of those models is complete shit. While they do find anomalies, it's mostly because they alert of so much stuff, generating so many false positives, that they get one right by blind chance. If you want to make money on a model, sell it to a security vendor. Those of us who have to deal with the tools will hate you, but CEOs and CISOs are eating that shit up right now. If you want to make something actually useful, make a model which identifies and tunes out false positives from other models.

Fantastic write up. I'd just add something to this bit:

Basically companies wouldn’t use CS unless they are too lazy to change away, or they think it’s really that good.

I work in Cyber Security for a large organization (30,000+ end points). We're considering moving to CrowdStrike. Even after this cock-up, we're still considering moving to CS. I've had direct experience with several different A/V and EDR products, and every single one of them has had a bad update cause systems to BSOD. The reason this one hit so hard is that CS is one of the major EDR/XDR vendors. But ya, it's generally considered that good. Maybe some folks will move away after this. And maybe another product is nipping at their heels and will overtake them in the near future. But, for now, it's not surprising that it was everywhere for this situation to get really FUBAR.

Thank fuck. Biden's actually been a pretty good President and I say that after strongly supporting Bernie over him. He's got some flaws and (including some pretty big ones, e.g. Gaza). But, he's also had some good accomplishments and finally recognized that continuing to steer this ship intro the dirt wasn't the best plan. So, Thank you President Biden and let's all now pull together and get whoever replaces him elected. It's probably Harris. Again, not my first choice, and I suspect the selection process isn't going to be terribly Democratic. But, we missed that boat by not having a real primary. But, we now have a chance for someone without one foot in the grave and the other on a patch of ice, to beat Trump. Let's not squander it.

I didn’t actually think about what all these wild AV systems could do, but that’s incredibly broad access.

Always has been. I've clean Symantec A/V off way too many systems in my time, post BSOD. That crap came pre-loaded on so many systems, and then borked them. The problem is, that in order to actually protect system from malware, the A/V has to have full, kernel level access. So, when it goes sideways, it usually takes the system down. I've seen BSODs caused by just about every vendor's A/V or EDR product. Shit happens. Everyone makes mistakes, but when that mistake is in A/V or EDR, it usually means a BSOD.

Maybe I’m just old, but it always strikes me as odd that you’d spend so much money on that much intrusive power that on a good day slows your machines down and on a bad day this happens.
I get that Users are stupid. But maybe you shouldn’t let users install anything. And maybe your machines shouldn’t have access to things that can give them malware. Some times, you don’t need everything connected to a network.

It's tough. The Internet and access to networks provides some pretty good advantages to users. But, it also means users making mistakes and executing malware. And much of the malware now is targeted at user level access; so, you can't even prevent malware by denying local admin/root. Ransomware and infostealers don't need it. A/V ends up being a bit of a backstop to some of that. Sure, it mostly is a waste of resources and can break stuff when things go bad. But, it can also catch ransomware or alert network defenders to infostealers. And either of those can result in a really, really bad day. A ransomed network is a nightmare. And credentials being stolen and not known about can lead to all kinds of bad stuff. If A/V catches or alerts you to just one or two of those events and lets you take action early, it may pay for itself (even with this sort of FUBAR situation) several times over.

Oddly, one of CrowdStrike's selling point is that it provides pretty good EDR for Linux and Mac. If you want crap EDR, which pushes you towards Windows, Microsoft Defender for Endpoint is the ticket.

I do agree with what you are saying, but for a complete beginner, and a very general overview, I didn't want to complicate things too much. I personally run my own stuff in containers and am behind CG-NAT (it's why I gave it a mention).

That said, if you really wanted to give the new user that advice, go for it. Rather than just nit pick and do the "but actshuly" bit, start adding that info and point out how the person should do it and what to consider. Build, instead of just tearing down.

No, but you are the target of bots scanning for known exploits. The time between an exploit being announced and threat actors adding it to commodity bot kits is incredibly short these days. I work in Incident Response and seeing wp-content in the URL of an attack is nearly a daily occurrence. Sure, for whatever random software you have running on your normal PC, it's probably less of an issue. Once you open a system up to the internet and constant scanning and attack by commodity malware, falling out of date quickly opens your system to exploit.

Not saying Windows isn't trash, but considering what CrowdStrike's software is, they could have bricked Mac or Linux just as hard. The CrowdStrike agent has pretty broad access to modify and block execution of system files. Nuke a few of the wrong files, and any OS is going to grind to a halt.

Short answer: yes, you can self-host on any computer connected to your network.

Longer answer:
You can, but this is probably not the best way to go about things. The first thing to consider is what you are actually hosting. If you are talking about a website, this means that you are running some sort of web server software 24x7 on your main PC. This will be eating up resources (CPU cycles, RAM) which you may want to dedicated to other processes (e.g. gaming). Also, anything you do on that PC may have a negative impact on the server software you are hosting. Reboot and your server software is now offline. Install something new and you might have a conflict bringing your server software down. Lastly, if your website ever gets hacked, then your main PC also just got hacked, and your life may really suck. This is why you often see things like Raspberry Pis being used for self-hosting. It moves the server software on to separate hardware which can be updated/maintained outside a PC which is used for other purposes. And it gives any attacker on that box one more step to cross before owning your main PC. Granted, it's a small step, but the goal there is to slow them down as much as possible.

That said, the process is generally straight forward. Though, there will be some variations depending on what you are hosting (e.g. webserver, nextcloud, plex, etc.) And, your ISP can throw a massive monkey wrench in the whole thing, if they use CG-NAT. I would also warn you that, once you have a presence on the internet, you will need to consider the security implications to whatever it is you are hosting. With the most important security recommendation being "install your updates". And not just OS updates, but keeping all software up to date. And, if you host WordPress, you need to stay on top of plugin and theme updates as well. In short, if it's running on your system, it needs to stay up to date.

The process generally looks something like:

• Install your updates.
• Install the server software.
• Apply updates to the software (the installer may be an outdated version).
• Apply security hardening based on guides from the software vendor.
• Configure your firewall to forward the required ports (and only the required ports) from the WAN side to the server.
• Figure out your external IP address.
• Try accessing the service from the outside.

Optionally, you may want to consider using a Dynamic DNS service (DDNS) (e.g. noip.com) to make reaching your server easier. But, this is technically optional, if you're willing to just use an IP address and manually update things on the fly.

Good luck, and in case I didn't mention it, install your updates.

Ya, the guy is a walking case study in how to be a horrible member of society; but, he is now the official GOP nominee for President. Blocking him, but not Biden, might get into sticky territory around campaign finance. Not that Trump's team or the GOP give a shit about that. But, other folks do, probably the Twitch legal team among them.

Somebody forgot about No Changes Friday.

No, because your vote won't encourage investment in flipping the State. I agree that the current duopoly sucks. I was an ardent Bernie supporter and would very much like viable third parties. But, the DNC isn't going to be looking at those third party votes. They need to believe that the Democrats have a chance of winning before they will invest in a State. If all they see are protest votes, then they won't see a viable path to them winning and they will continue to ignore the State.

Ya, it sucks, but we really do need to just keep holding our nose and pulling the lever for the Democrat in the general election.