Conversation

Notices

1. Embed this notice
   Kelly Shortridge (shortridge@hachyderm.io)'s status on Friday, 19-Jul-2024 22:03:40 JST Kelly Shortridge

   and this is why we need to stop absolving *commercial* cybersecurity vendors of software quality concerns.

   there should be multiple checks preventing this type of broken content in an update.

   how did they allow it to ship to so many machines all at once?

   #crowdstrike

   • Doughnut Lollipop 【記録係】:blobfoxgooglymlem: and clacke like this.
   • Embed this notice
     clacke (clacke@libranet.de)'s status on Friday, 19-Jul-2024 23:38:43 JST clacke

     in reply to

     • Jim
     @sullybiker @shortridge Ironically enough, if they survive this, it might be a huge PR win for them.
   • Embed this notice
     Jim (sullybiker@sully.site)'s status on Friday, 19-Jul-2024 23:38:44 JST Jim

     in reply to

     @shortridge I have to say I did not know they were so widespread

   • Embed this notice
     Jim (sullybiker@sully.site)'s status on Friday, 19-Jul-2024 23:38:45 JST Jim

     in reply to

     @shortridge Their updater does it all, it pulls changes automatically outside of the OS methods. They broke it and fixed the update very quickly, but alas the damage was done on many machines as it is such a low level tool

   • Embed this notice
     Thomas Depierre (di4na@hachyderm.io)'s status on Monday, 22-Jul-2024 22:42:17 JST Thomas Depierre

     in reply to

     @shortridge i mean it is their job to ship it as fast and as widely as possible... I understand the point but i feel like hitting on it is not that productive

   • Embed this notice
     Kelly Shortridge (shortridge@hachyderm.io)'s status on Monday, 22-Jul-2024 22:42:17 JST Kelly Shortridge

     in reply to

     • Thomas Depierre

     @Di4na lots of companies need to ship things fast and as widely as possible.

     albeit, much fewer have the level of access into the system that EDR has (which would suggest investing in even more “ensure the software delivery behaves as intended” tooling).

     regardless, this is why build checks, integration tests, staging environments, experiments, and other software quality tools/approaches exist.

     clacke likes this.
   • Embed this notice
     Kelly Shortridge (shortridge@hachyderm.io)'s status on Monday, 22-Jul-2024 22:42:25 JST Kelly Shortridge

     in reply to

     • Ryan Petrich

     this is why I’ve side eyed any federal document about software #security, quality, or #resilience that demonizes open source software while touting the virtues of commercial cybersecurity products

     as if those products aren’t notorious for deep access + flimsy quality…

     I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)

     1) on OSS security https://kellyshortridge.com/blog/posts/rfi-open-source-security-response/

     2) on secure by design https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/

     #crowdstrike

     clacke repeated this.
   • Embed this notice
     Kelly Shortridge (shortridge@hachyderm.io)'s status on Monday, 22-Jul-2024 22:42:25 JST Kelly Shortridge

     in reply to

     ^ In our RFIs, we note that commercial security software is often a boon for attackers given its deep access + poor quality

     indeed, much of it resembles malware in functionality.

     in the #Crowdstrike case now, it’s poorly written malware. “Skidiot” shit, as a friend would say…

     For all the ballyhooing about open source, why don’t we take the security of commercial security software more seriously?

     clacke likes this.