I’d love to know how you plan to do user mode packet filtering. Keep in mind that on Linux, the designated API is inherently kernel mode. https://netfilter.org/
This isn’t one of the cases where we’re talking about Linux being superior to windows. Any OS will be fucked if you give it a mangled kernel module. In this case, it’s just that only one got one.
Your perception that anything that touches the kernel is an intrinsic security risk is unfounded.
I mean, sure. But typically operating systems don’t expose that type of information to user space, instead providing a kernel interface with user mode configuration.
It’s why they use the same basic approach on mac and Linux.
The kernel is responsible for managing hardware and general low-level system operations. Anything that wants to do those things needs to get itself into kernel mode one way or another.
The typical way you do this is called a “driver” and no one thinks about them as being kernel code. Things like graphics cards and the like.
Things that want to do actions like monitor network traffic or filesystem activity system wide or in a lower level capacity than the normal tools provide also need to be kernel level.
In a security context, that specifically would include things that want to monitor raw packets rather than the parsed content that assumes the packet is well formed in a way that a malicious one might not be.
Cloudstrike does the same thing on Linux, and the typical tools for network management or advanced security are also either compiled in or loadable kernel modules.
It’s easy to forget that ip/ebtables and selinux and friends are kernel level software frequently distributed as kernel modules, in the case of the firewalls, or compiled in with a special framework and not just user mode software.
Also, it’s less about “their” drivers and more about what a kernel module can do.
Saying “there’s no way to know” doesn’t fit, because we do know that a malformed kernel module can destabilize a linux or mac system.
“Malformed file” isn’t a programming defect or something you can fix by having a better API.
Security operations being one of the things that is often best done at the kernel level because of the need to monitor network and file operations in a way you can’t in user mode.
That’s totally fair. :)
I work at a different company in the same security space as cloudstrike, and we spend a lot of time considering stuff like “if this goes sideways, we need to make sure the hospitals can still get patient information”.
I’m a little more generous giving the downstream entities slack for trusting that their expensive upstream security vendor isn’t shipping them something entirely fucking broken.
Like, I can’t even imagine the procedureal fuck up that results in a bsod getting shipped like that. Even if you have auto updates enabled for our stuff, we’re still slow rolling it and making sure we see things being normal before we make it available to more customers. That’s after our testing and internal deployments.
I can’t put too much blame on our customers for trusting us when we spend a huge amount of energy convincing them we can be trusted to literally protect all their infrastructure and data.
you cannot pull a Boeing and let people die
You say that, but have you considered the savings?
Nope, because they only shipped a corrupted windows kernel module.
It’s dumb luck that whatever process resulted in them shipping a broken build didn’t impact the other platforms.
Typically auto-applying updates to your security software is considered a good IT practice.
Ideally you’d like, stagger the updates and cancel the rollout when things stopped coming back online, but who actually does it completely correctly?
Yeah, it’s a crowd strike issue. The software is essentially a kernel module, and a borked kernel module will have a lot of opportunities to ruin stuff, regardless of the OS.
Ideally, you want your failure mode to be configurable, since things like hospitals would often rather a failure with the security system keep the medical record access available. :/. If they’re to the point of touching system files, you’re pretty close to “game over” for most security contexts unfortunately. Some fun things you can do with hardware encryption modules for some cases, but at that point you’re limiting damage more than preventing a breach.
Architecture wise, the windows hybrid kernel model is potentially more stable in the face of the “bad kernel module” sort of thing since a driver or module can fail without taking out the rest of the system. In practice… Not usually since your video card shiting the bed is gonna ruin your day regardless.
Sure, but they weren’t patching a windows vulnerability, windows software, or a security issue, they were updating their software.
I’m all for blaming Microsoft for shit, but “third party software update causes boot problem” isn’t exactly anything they caused or did.
You also missed that the same software is deployed on Mac and Linux hosts.
Hell, they specifically call out their redhat partnership: https://www.crowdstrike.com/partners/falcon-for-red-hat/
I’d say they’re doing a good job by virtue of popularity.
It’s far from the best metric, but a lot of people have bought them and been happy enough.
And they do a great job with the transitioning between docked and mobile setups, which is also key.
https://en.wikipedia.org/wiki/List_of_United_States_presidential_assassination_attempts_and_plots
Looks like there was a precious attempt on trump where someone stole a forklift and tried to ram the motorcade, but they got stuck before getting very far and police were surprised when he said it was an assassination attempt and not just “wanted a forklift”.
Same, felt weird.
Beyond that, I learned about it via a particularly cold meme.
https://www.theguardian.com/us-news/article/2024/jul/12/heritage-foundation-mike-howell-election
The document with it’s horrible URL escaped after the edit
Mike Howell, executive director of the Oversight Project at the Heritage Foundation, made the comments at an event in Washington sharing the results of a hypothetical exercise mapping out several implausible scenarios that could take place after the election. The outlandish scenarios involved Barbara Streisand being kidnapped by Hamas, antifa-BLM protesters taking over a detention facility and the FBI arresting Donald Trump after winning the election.
The effort was designed to muddy the waters over the threat to the 2024 election posed by Donald Trump, who has repeatedly refused to commit to accepting the election results and tried to overturn the 2020 vote. Instead, the Heritage Foundation, which is also behind the extreme Project 2025, wanted to suggest that it was Joe Biden who could try to overturn the result of the election, echoing the ex-president’s repeated claims that it is actually Biden who is the threat to democracy.
Yeah, I’m in the same boat personally but there have been occasions where something is being played on the deck and then the TV becomes available, leaving a moment of “is it worth it to quickly switch over and eat the performance hit?”
It’s far from a deal breaker, but something has to be the worst aspect.
It astounds me that only two companies seem to have really accepted and done a good job with the concept.
I wish the steam deck did a little better while docked, but it’s perfectly fine for what I use it for.
Impeachment is the decision to press charges, and the Senate trial is closer to the actual trial.
“Charged and convicted” -> “impeached and convicted”
Otherwise a perfectly good analogy. :)
The distinction only matters for people who bring up due process concerns. The impeachment proceedings aren’t actually a trial, but a decision to have one, as such you aren’t obligated to the same ability to speak in your own defense as you would be at a proper trial. With the Senate trial there’s more expectation of due process because it’s an actual trial.
Can’t fault you for feeling that way. I definitely don’t think anyone should be exempt from responsibility, I meant blame in the more emotional “ugh, you jerk” sense.
If someone can’t fulfill their responsibilities because someone they depended on failed them, they’re still responsible for that failure to me, but I’m not blaming them if that makes any sense.
Power outage or not, the store owes me an ice cream cake and they need to make things even between us, but I’m not upset with them for the power outage.