Conversation

Notices

1. Embed this notice
   Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 16:03:47 JST Kevin Beaumont

   Crowdstrike published a faulty update. Causes Windows to bluescreen. Driver is C-00000291*.sys. Will cause worldwide outages.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 16:10:21 JST Kevin Beaumont

     in reply to

     I am obtaining a copy of the driver to see if malicious or bad coding, if anybody else checking let me know.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 16:14:34 JST Kevin Beaumont

     in reply to

     If anybody is wondering the impact of the Crowdstrike thing - it’s really bad. Machines don’t boot.

     The recovery is boot in safe mode, log in as local admin and delete things - which isn’t automateable. Basically Crowdstrike will be in very hot water.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 16:41:48 JST Kevin Beaumont

     in reply to

     You know it was coming...

     Crowdstrike's BSOP theme tune

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 16:45:13 JST Kevin Beaumont

     in reply to

     Sky News has gone off air in the UK.

   • Embed this notice
     ISO8601 (iso8601@cyberplace.social)'s status on Friday, 19-Jul-2024 16:50:27 JST ISO8601

     in reply to

     @GossiTheDog New order to Vanguard subs: "if Radio 4 is offline, please check a couple of other other radio stations to see whether it's an MS or AV outage. Ta."

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 17:12:38 JST Kevin Beaumont

     in reply to

     Favour to IT folks fixing - could you please copy the C-00000291*.sys file to somewhere and upload it to Virustotal, and reply with the Virustotal link or file hash? It's still unclear if the update was malicious or just a bug.

   • Embed this notice
     Lorenzo 'kelset' Sciandra (kelset@mastodon.online)'s status on Friday, 19-Jul-2024 17:21:12 JST Lorenzo 'kelset' Sciandra

     in reply to

     @GossiTheDog at least according to the sources quoted here it seems not malicious: https://www.reddit.com/r/crowdstrike/comments/1e6vmkf/comment/ldvwkbn/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

     (but just gross incompetence)

   • Embed this notice
     Guelfo Alexander Ghibellini (guelfoalexander@cyberplace.social)'s status on Friday, 19-Jul-2024 17:25:57 JST Guelfo Alexander Ghibellini

     in reply to

     @GossiTheDog sorry for posting a dumbser hint, but there is no way to batch a rolling back to Windows previous System Restore Point?

   • Embed this notice
     mvyrmnd :PUA: (mvyrmnd@aus.social)'s status on Friday, 19-Jul-2024 17:26:35 JST mvyrmnd :PUA:

     in reply to

     @GossiTheDog https://www.virustotal.com/gui/file/ad492bc8b884f9c9a5ce0c96087e722a2732cdb31612e092cdbf4a9555b44362

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 17:42:18 JST Kevin Beaumont

     in reply to

     I've obtained copies of the .sys driver files Crowdstrike customers have. They're garbage. Each customer appears to have a different one.

     They trigger an issue that causes Windows to blue screen.

     I am unsure how these got pushed to customers. I think Crowdstrike might have a problem.

     Haelwenn /элвэн/ :triskell: and kaia like this.
   • Embed this notice
     JP (froztbyte@mastodon.social)'s status on Friday, 19-Jul-2024 17:42:43 JST JP

     in reply to

     @GossiTheDog I don’t touch windows much at all these days, what particularly makes it non-automateable? I would’ve thought things like pxeboot’d scripted run envs or something could be viable, albeit that’s with a heavily *nix-background talking

   • Embed this notice
     The Penguin of Evil (etchedpixels@mastodon.social)'s status on Friday, 19-Jul-2024 17:44:20 JST The Penguin of Evil

     in reply to

     @GossiTheDog Are they signed garbage ?

   • Embed this notice
     Xebulun EnEssEitch (xeb@chaos.social)'s status on Friday, 19-Jul-2024 17:56:26 JST Xebulun EnEssEitch

     • The Penguin of Evil

     @GossiTheDog @etchedpixels how do you know?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 18:14:06 JST Kevin Beaumont

     in reply to

     If anybody is wondering, the update was delivered via channel updates in Crowdstrike.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 18:15:41 JST Kevin Beaumont

     in reply to

     BBC tracker (they mix up an earlier Microsoft outage, what they're actually tracking is the Crowdstrike issue) https://www.bbc.co.uk/news/live/cnk4jdwp49et

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 18:31:20 JST Kevin Beaumont

     in reply to

     The .sys files causing the issue are channel update files, they cause the top level CS driver to crash as they're invalidly formatted. It's unclear how/why Crowdstrike delivered the files and I'd pause all Crowdstrikes updates temporarily until they can explain.

     This is going to turn out to be the biggest 'cyber' incident ever in terms of impact, just a spoiler, as recovery is so difficult.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 18:32:40 JST Kevin Beaumont

     in reply to

     CrowdStrike's shares are down 20% in pre-market.

     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 18:43:15 JST Kevin Beaumont

     in reply to

     I'm seeing people posting scripts for automated recovery.. Scripts don't work if the machine won't boot (it causes instant BSOD) -- you still need to manually boot the system in safe mode, get through BitLocker recovery (needs per system key), then execute anything.

     Crowdstrike are huge, at a global scale that's going to take.. some time.

     Thomas 🔭🕹️ repeated this.
   • Embed this notice
     Bálint Szilakszi (szbalint@x0r.be)'s status on Friday, 19-Jul-2024 18:44:25 JST Bálint Szilakszi

     in reply to

     @GossiTheDog Crowdstrike / SOC managing Crowdstrike is saying that there is no possibility to pause these type of updates (we asked). “It would not have prevented this incident.”

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 18:59:00 JST Kevin Beaumont

     in reply to

     Crowdstrike statement: https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3A0c379e1f-48df-493c-a11a-f6b1e3d1eb63#post

     Basically 'it's not a security incident... we just bricked a million systems'

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Derek Robson (robsonde@mastodon.social)'s status on Friday, 19-Jul-2024 19:20:36 JST Derek Robson

     in reply to

     @GossiTheDog
     A million systems?

     29k customers, and assuming 5k boxes per customer == 145 million boxes.

   • Embed this notice
     robwalker (robwalker@cyberplace.social)'s status on Friday, 19-Jul-2024 19:33:42 JST robwalker

     in reply to

     @GossiTheDog USB Rubber Ducky script? 😀 Oh, nope, BitLocker will prevent that being workable

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 20:04:56 JST Kevin Beaumont

     in reply to

     For anybody wondering why Microsoft keep ending up in the frame, they had an Azure outage and- this may be news to some people- a lot of Microsoft support staff are actually external vendors, eg TCS, Mindtree, Accenture etc.

     Some of those vendors use Crowdstrike, and so those support staff have no systems.

     But MS isn’t the outage cause today.

   • Embed this notice
     System Adminihater (systemadminihater@cyberplace.social)'s status on Friday, 19-Jul-2024 20:11:48 JST System Adminihater

     in reply to

     @GossiTheDog I dont know how to use this platform but you seem to. here is a semi automatic way that I solved this on 1000 machines in 30 minutes.

     Copy your custom drivered WinPE image (or a bare one from the ADK) to your system.
     Mount it with wimlib.
     Edit startnet.cmd and add
     del C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys
     exit

     unmount image
     put image in your PXE loader OR make it a usb bootable in Rufus

     Save an assload of time.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 20:16:21 JST Kevin Beaumont

     in reply to

     Crowdstrike publishes updated CIA triad

   • Embed this notice
     uzayran (uzayran@cyberplace.social)'s status on Friday, 19-Jul-2024 20:17:31 JST uzayran

     in reply to

     @GossiTheDog "We can do it faster"

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 21:39:20 JST Kevin Beaumont

     in reply to

     By far my fave thing with the Crowdstrike thing is Microsoft saying to try turning impacted PCs off and on again in a loop until you get the magic reboot where CrowdStrike updates before it blue screens.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 21:49:49 JST Kevin Beaumont

     in reply to

     lol Microsoft have put ‘reboot each box 15 times’ on its website

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 22:05:40 JST Kevin Beaumont

     in reply to

     The chuckle brothers at NoName attempting to claim they caused the incident. To be super clear, NoName can barely DDoS a bike shed website, and once asked me to make their logo in Minecraft.

     Haelwenn /элвэн/ :triskell: repeated this.
   • Embed this notice
     📷 🖋 ~hyde (hyde@lazybear.social)'s status on Friday, 19-Jul-2024 22:22:33 JST 📷 🖋 ~hyde

     in reply to

     @GossiTheDog Did they remove the link saying that ?

   • Embed this notice
     eclectiqus (eclectiqus@cyberplace.social)'s status on Friday, 19-Jul-2024 22:28:07 JST eclectiqus

     in reply to

     @GossiTheDog
     What’s the chance that a low and slow piece of malware has been living in some windows recovery mode file system and this CS Falcon thing is just an impressive method for activating it across the global windows fleet of critical servers protected by CrowdStrike?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 22:45:15 JST Kevin Beaumont

     in reply to

     Probably the funniest BBC news update so far (they’ve cleared the airways for this incident).

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Friday, 19-Jul-2024 23:01:21 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     @GossiTheDog is it too late to buy calls?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Friday, 19-Jul-2024 23:34:08 JST Kevin Beaumont

     in reply to

     🤪

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 02:11:28 JST Kevin Beaumont

     in reply to

     BBC News at 6 is leading the entire show with this. (They asked me to appear but I was slightly busy).

     For the record I spent much of the day trying to tell people it isn’t a Microsoft issue.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 03:36:31 JST Kevin Beaumont

     in reply to

     When I get successfully DDoS’d it’s both a security incident and I’m not protected…

     Christmas Sun and Tim Chambers repeated this.
   • Embed this notice
     Eric Likness (carpetbomberz@mastodon.online)'s status on Saturday, 20-Jul-2024 03:43:58 JST Eric Likness

     in reply to

     @GossiTheDog Perspective, man. Depends on which end of the telescope you're looking thru. 🔭

   • Embed this notice
     Eric Likness (carpetbomberz@mastodon.online)'s status on Saturday, 20-Jul-2024 03:43:58 JST Eric Likness

     in reply to

     @GossiTheDog And I luv seeing George's accomplishments listed out here:

     `In his personal time, he is an avid exotic car collector and has driven Audi R8 LMS GT4 and Mercedes-AMG GT3[32] in the Pirelli World Challenge. Previously, he raced in the Radical Cup and Sports Car Club of America endurance events.[34] He is currently driving for CrowdStrike Racing.`

     https://en.wikipedia.org/wiki/George_Kurtz

   • Embed this notice
     System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 20-Jul-2024 04:18:29 JST System Adminihater

     in reply to

     @GossiTheDog People on CNBC were praising him because he used to be the CTO of McAfee.when McAfee did this exact same thing in 2010. Look it up. Seriously

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 04:38:34 JST Kevin Beaumont

     in reply to

     Billboards in Times Square blue screen of deathing. Nice way to find out which orgs use Crowdstrike, this 🤣

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     lambtor (lambtor@cyberplace.social)'s status on Saturday, 20-Jul-2024 04:47:53 JST lambtor

     in reply to

     @GossiTheDog So peaceful.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 04:57:56 JST Kevin Beaumont

     in reply to

     Crazy video of flights being ground stopped across the US earlier today, due to the CrowdStrike issue. https://www.bbc.co.uk/news/live/cnk4jdwp49et?post=asset%3Ae7676a84-628c-4830-ba22-3b86a0d7de4c#post

     Joe Ortiz repeated this.
   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 05:00:20 JST Kevin Beaumont

     in reply to

     Photos of CrowdStrike issue https://www.theverge.com/24202037/microsoft-crowdstrike-outage-blue-screen-error-photos

   • Embed this notice
     Guelfo Alexander Ghibellini (guelfoalexander@cyberplace.social)'s status on Saturday, 20-Jul-2024 05:36:19 JST Guelfo Alexander Ghibellini

     in reply to

     @GossiTheDog https://www.tumblr.com/guelfoalexander/756464981458944000/attention-to-alternative-solutions-to-bypass-the?source=share

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 05:56:58 JST Kevin Beaumont

     in reply to

     *whispers* They work remotely on Friday

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Casey Smith (subtee@federate.social)'s status on Saturday, 20-Jul-2024 06:10:45 JST Casey Smith

     in reply to

     @GossiTheDog

     The stressed employees are in Maryland my dear.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 18:19:49 JST Kevin Beaumont

     in reply to

     CrowdStrike have effectively a mini root cause analysis out

     Pretty much as everybody knows, they did a channel update and it caused the driver to crash.

     If they blame the person who did the update.. they shouldn’t, as it sounds like an engine defect.

     https://www.crowdstrike.com/blog/technical-details-on-todays-outage/

   • Embed this notice
     Kieran McGuire (kieranmcguire@hachyderm.io)'s status on Saturday, 20-Jul-2024 19:06:05 JST Kieran McGuire

     in reply to

     @GossiTheDog Ed Zitron wrote a post that, amongst other things, says that it was a faulty *kernel driver* update and Microsoft is at least partially responsible for signing it. Would you say this is inaccurate? (Will be a shame if so, Ed’s work is usually pretty good!)

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 19:46:35 JST Kevin Beaumont

     in reply to

     For the people thinking ‘shouldn’t testing catch this?’, the answer is yes. Clearly something went wrong.

     This isn’t CrowdStrike’s first rodeo on this, although it is the most severe incident so far.

     Eg just last month they had an issue where a content update pushed CPU to 100% on one core: https://www.thestack.technology/crowdstrike-bug-maxes-out-100-of-cpu-requires-windows-reboots/

     Truthfully these issues happen across all vendors - I’ve had my orgs totalled twice now by AV vendors, one while I was on holiday abroad and had to suspend said holiday.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Saturday, 20-Jul-2024 19:52:35 JST Kevin Beaumont

     in reply to

     Btw, that isn’t to excuse it or any vendor. CrowdStrike have gotta be better at this stuff. And they’ll have to, as if they aren’t transparent customers will flee.

     It’s a warning shot to all AV/EDR/XDR vendors that if you fuck up availability, your brand will become failure. It’s harsh but that’s the media cycle and modern world.

     GreenSkyOverMe (Monika) repeated this.
   • Embed this notice
     WowSuchCyber (wowsuchcyber@toot.zof.sh)'s status on Saturday, 20-Jul-2024 19:53:10 JST WowSuchCyber

     in reply to

     @GossiTheDog they happened at McAfee in 2010

   • Embed this notice
     Raphael (0x3e4@cyberplace.social)'s status on Saturday, 20-Jul-2024 19:55:25 JST Raphael

     in reply to

     @GossiTheDog rememberberrie when MS defender killed all desktop shortcuts lmao.. last year?

   • Embed this notice
     Joel Michael (jpm@aus.social)'s status on Saturday, 20-Jul-2024 20:05:08 JST Joel Michael

     in reply to

     @GossiTheDog watch customers flee without understanding what they’re fleeing from: https://aus.social/@jpm/112812079293445696

   • Embed this notice
     System Adminihater (systemadminihater@cyberplace.social)'s status on Saturday, 20-Jul-2024 20:40:41 JST System Adminihater

     in reply to

     @GossiTheDog Also.. its 20% the Windows kernel having code from Win2k in it. Truth is Windows should never BSOD or allow something else to make it BSOD.

   • Embed this notice
     jmjm (jmjm@mstdn.social)'s status on Saturday, 20-Jul-2024 22:07:13 JST jmjm

     in reply to

     @GossiTheDog intended as a serious question, not snark:

     When I push a kernel update to prod I have a gradual rollout plan that lets me canary the change and roll it back, say, before the pager outside the CEOs hot tub goes off.

     Did Cloudstrike just not do that, or is there some technical reason (latency between deployment and failure) that this common strategy failed?

   • Embed this notice
     Khleedril (khleedril@cyberplace.social)'s status on Saturday, 20-Jul-2024 22:29:28 JST Khleedril

     in reply to

     @GossiTheDog I know they are denying it, but I find it hard to believe this isn't a case of deliberate sabotage.

   • Embed this notice
     Erik Ableson (erik@mastodon.infrageeks.social)'s status on Saturday, 20-Jul-2024 23:50:39 JST Erik Ableson

     in reply to

     @GossiTheDog Out of the gate qualifying question for these vendors: is your software written in a memory-safe language?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jul-2024 00:35:46 JST Kevin Beaumont

     in reply to

     Microsoft estimate almost 9 million Windows devices are impacted by the CrowdStrike incident (likely from crash telemetry). https://blogs.microsoft.com/blog/2024/07/20/helping-our-customers-through-the-crowdstrike-outage/

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Sunday, 21-Jul-2024 01:59:12 JST 翠星石

     in reply to
     @GossiTheDog Ah yes, the consequences of running windows on computers that should have been running GNU/Linux.
   • Embed this notice
     Rocketman (slothrop@chaos.social)'s status on Sunday, 21-Jul-2024 02:41:07 JST Rocketman

     in reply to

     @GossiTheDog In reality it was just 1 million devices, which each got rebooted 9 times on average 🤡

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Sunday, 21-Jul-2024 02:41:43 JST Kevin Beaumont

     in reply to

     Hackers reboot announced for 2025, trailer dropped

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Monday, 22-Jul-2024 02:15:58 JST Kevin Beaumont

     in reply to

     The Verge has a quick look at the orgs trying to recover from the Crowdstrike incident.

     If you’re wondering why it’s dropped off the radar of most press, they think it’s over as Down Detector looks okay (which, to be clear, is not good logic).

     https://www.theverge.com/2024/7/21/24202960/crowdstrike-windows-outage-it-workers-photos-videos

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 02:42:37 JST Kevin Beaumont

     in reply to

     How much is a significant number?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 02:54:14 JST Kevin Beaumont

     in reply to

     Interesting - did anybody keep a list of tweets by CrowdStrike staff during the start of the incident? This one has been deleted. https://x.com/brody_n77/status/1814186136149037459

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 05:49:09 JST Kevin Beaumont

     in reply to

     US House committee calls on CrowdStrike CEO to testify on global outage https://www.washingtonpost.com/technology/2024/07/22/house-committee-calls-crowdstrike-ceo-testify-global-outage/

   • Embed this notice
     Wolfie (wolfie@blahaj.social)'s status on Tuesday, 23-Jul-2024 07:43:05 JST Wolfie

     in reply to

     @GossiTheDog Well this will be absolutely jam-packed with good takes, I’m sure

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 08:55:24 JST Kevin Beaumont

     in reply to

     Crowdstrike are touting auto remediation of blue screen as an opt in feature.

     However, I just tried it - it’s not very successful, most boots still blue screen of death. I think CS need to be careful on messaging about this as it sounds like they’re offering it as a silver bullet. It only works if networking kicks in and the agent updates before Windows finishes booting.

     https://www.reddit.com/r/sysadmin/comments/1e9nqyn/just_exited_a_meeting_with_crowdstrike_you_can/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 18:33:10 JST Kevin Beaumont

     in reply to

     Delta cancelled another 20% of US flights yesterday as they struggle to recover from CrowdStrike incident https://www.bankinfosecurity.com/blogs/crowdstrike-disruption-restoration-taking-time-p-3673

   • Embed this notice
     Stanislav Ochotnický (drizzy@cyberplace.social)'s status on Tuesday, 23-Jul-2024 18:42:11 JST Stanislav Ochotnický

     in reply to

     @GossiTheDog I suppose crowdstrike could use this outage as their carbon credits. Hey look how much co2 saved it with this simple trick!

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 20:08:44 JST Kevin Beaumont

     in reply to

     CrowdStrike have published a video on YouTube about how to remediate PCs: https://www.youtube.com/watch?v=Bn5eRUaMZXk

   • Embed this notice
     Infoseepage #StopGazaGenocide (infoseepage@mastodon.social)'s status on Tuesday, 23-Jul-2024 20:33:41 JST Infoseepage #StopGazaGenocide

     in reply to

     @GossiTheDog In particular, not very helpful for WiFi connected systems (laptops) without Ethernet, as I've seen a lot of laptops which only establish connections once the desktop has been reached.

   • Embed this notice
     Sandrew :clubtwit: (sandrew@twit.social)'s status on Tuesday, 23-Jul-2024 20:33:41 JST Sandrew :clubtwit:

     in reply to

     • Infoseepage #StopGazaGenocide

     @Infoseepage @GossiTheDog That's only if you didn't authenticate to Wi-Fi before logon (e.g. at the logon screen), which shouldn't be the case in many corporate environments (who are the only ones using CrowdStrike), as they'd have pushed the Wi-Fi settings via group policy

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 23:09:24 JST Kevin Beaumont

     in reply to

     Delta are still struggling, suspending additional services.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Tuesday, 23-Jul-2024 23:12:46 JST Kevin Beaumont

     in reply to

     Upguard have published a list of companies they say are impacted by the CrowdStrike 'Global IT Outage', based on public reporting.

     https://www.upguard.com/crowdstrike-outage

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 24-Jul-2024 01:42:02 JST Kevin Beaumont

     in reply to

     If anybody wonders what the file that took down 8.5 million Windows systems looks like.. it was 41kb in size.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 24-Jul-2024 01:58:24 JST Kevin Beaumont

     in reply to

     The US Department of Transport has opened an investigation into Delta over the disruption related to CrowdStrike incident.

     Good luck to the CrowdStrike account manager for Delta.

   • Embed this notice
     Adam Collins (m104@mastodon.social)'s status on Wednesday, 24-Jul-2024 01:59:50 JST Adam Collins

     in reply to

     @GossiTheDog Is there sort of signed signature or checksum or does the CrowdStrike agent just say "YOLO whatever we downloaded let's just start processing it" ?

   • Embed this notice
     Piggo :verified_horse: (piggo@piggo.space)'s status on Wednesday, 24-Jul-2024 02:02:26 JST Piggo :verified_horse:

     in reply to
     @GossiTheDog do u think this the fallout will kill the company? it's like the biggest fuckup you can possibly make
   • Embed this notice
     codeandroid 🇺🇦 (codeandroid@mastodon.social)'s status on Wednesday, 24-Jul-2024 02:17:37 JST codeandroid 🇺🇦

     • Piggo :verified_horse:

     @GossiTheDog @piggo Is there a good answer to the question: Which vendor is proven to have better processes (and less bad kernel drivers)?

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 24-Jul-2024 16:49:33 JST Kevin Beaumont

     in reply to

     The initial Post Incident Review is out from CrowdStrike. It’s good and really honest.

     There’s some wordsmithing (eg channel updates aren’t code - their parameters control code).

     The key take away - channel updates are currently deployed globally, instantly. They plan to change this at a later date to operate in waves. This is smart (and what Microsoft do for similar EPP updates).

     https://www.crowdstrike.com/falcon-content-update-remediation-and-guidance-hub/

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Wednesday, 24-Jul-2024 17:27:07 JST Kevin Beaumont

     in reply to

     By ‘this is smart’ I mean ‘this is smart… now’. Obviously they shouldn’t have been globally, simultaneously deploying kernel driver parameter changes across all customers: it was waiting to go wrong.

     They still are btw, as it will take a while to engineer the correct way of doing it.

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Jul-2024 02:34:04 JST Kevin Beaumont

     in reply to

     On insurance and CrowdStrike, Parametrix claim amongst just the Fortune 500 companies, they are facing $5.4bn in losses, of which around 10% will be covered by insurance.
     https://www.theguardian.com/technology/article/2024/jul/24/crowdstrike-outage-companies-cost

   • Embed this notice
     Kevin Beaumont (gossithedog@cyberplace.social)'s status on Thursday, 25-Jul-2024 02:52:11 JST Kevin Beaumont

     in reply to

     • qwertyoruiopz

     CrowdStrike have won this year's Pwnie Award for Epic Fail, which will please @qwertyoruiop.