Conversation
Notices
-
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:26:37 JST 
Pissed Hippo
Crowdstrike is blaming the crash on a bad regex that matched too greedy and returned 20 value array to their DSL, which then attempted to access the 21st parameter, causing an out of bounds array read
I don't see how you could prevent this using technical means without just plain using a safer language than C
an array check would have prevented this which is a mistake, you can catch mistakes using more testing but that is a curve with diminishing returns- Doughnut Lollipop 【記録係】:blobfoxgooglymlem: and snacks like this.
-
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:34:39 JST
Pissed Hippo
@newt I am not 100% on this but I think that Windows kernel enforces a subset of C++ features so like you don't get try/catch but don't quote me on it. -
Embed this notice
:suya: (newt@stereophonic.space)'s status on Thursday, 08-Aug-2024 00:34:40 JST 
:suya:
@sun fun fact. You can have checked arrays in C. Same as normal strings instead of that 0-terminated garbage. L'Eunuchs kernel even does that.
Also fun fact: that clownstrike bullshit was in C++, not C. -
Embed this notice
Piggo :verified_horse: (piggo@piggo.space)'s status on Thursday, 08-Aug-2024 00:36:43 JST 
Piggo :verified_horse:
@sun if you don't do basic checks, it shouldn't pass though MISRA and similar safety standards which this kind of high impact code really should use imo -
Embed this notice
翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Thursday, 08-Aug-2024 00:36:52 JST 
翠星石
@sun Memory overreads are memory-safe.
The CPU can and will do memory overreads just fine no matter what meme high level language you use. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:37:03 JST
Pissed Hippo
@newt my windows kernel knowledge taps out at around 1997 -
Embed this notice
:suya: (newt@stereophonic.space)'s status on Thursday, 08-Aug-2024 00:37:05 JST
:suya:
@sun yeah, no
https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/handling-exceptions -
Embed this notice
snacks (snacks@netzsphaere.xyz)'s status on Thursday, 08-Aug-2024 00:37:53 JST 
snacks
@sun bounds checks are worth it Doughnut Lollipop 【記録係】:blobfoxgooglymlem: and Pissed Hippo like this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:38:50 JST
Pissed Hippo
@newt I don't know what structured exceptions are or what their limitations are, it says on there it doesn't support C++ exceptions -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 08-Aug-2024 00:39:21 JST 
Haelwenn /элвэн/ :triskell:
@sun At the same time with a DSL I don't think even a safer language would have protected you, like you'd still have got either a bullshit value returned or a runtime crash.
Plus like… don't put a custom interpreter in the kernel.snacks and Pissed Hippo like this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:40:15 JST
Pissed Hippo
@lanodan yes, everything about this is cursed is the real problem Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Hildegunst von Mythenmetz of programming (condret@shitposter.world)'s status on Thursday, 08-Aug-2024 00:40:40 JST 
Hildegunst von Mythenmetz of programming
@sun avoid regex Pissed Hippo likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:40:54 JST
Pissed Hippo
@condret sure but I am assuming some kind of pattern matching was needed -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 08-Aug-2024 00:41:54 JST
Haelwenn /элвэн/ :triskell:
@sun Yeah in a way they did *everything* wrong, which is kind of an achievement. Pissed Hippo likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:42:19 JST
Pissed Hippo
@lanodan about half the things they did wrong are because of Windows limitations -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 08-Aug-2024 00:43:31 JST
Haelwenn /элвэн/ :triskell:
@sun Possibly, more referring to the sheer lack of tests, safety checks and very reckless botnet-style deployments. -
Embed this notice
snacks (snacks@netzsphaere.xyz)'s status on Thursday, 08-Aug-2024 00:43:40 JST
snacks
@sun or counted arrays in general Pissed Hippo likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:44:03 JST
Pissed Hippo
@lanodan they had tests and testing but it missed this because their input data always matched the right way on the flawed regex -
Embed this notice
Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Thursday, 08-Aug-2024 00:46:29 JST
Haelwenn /элвэн/ :triskell:
@sun I mean integration tests, not unit tests, which aren't that useful to prove that your software works for system components.
Like doesn't really matters if your function works for few examples if the default config of Windows just blows up on it. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:47:09 JST
Pissed Hippo
@lanodan the document claims they did this but I agree with you it's suspicious because it failed for literally everyone outside their lab -
Embed this notice
:suya: (newt@stereophonic.space)'s status on Thursday, 08-Aug-2024 00:50:45 JST
:suya:
@sun SEH is a pretty cool thing. I wish L'Eunuchs had this.
https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH
Think C++ exceptions, but adapted to both C and C++ and also covering things like segfaults.Pissed Hippo likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 00:50:53 JST
Pissed Hippo
@newt oh it was added in windows xp, that is why I didn't know about it -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 01:49:23 JST
Pissed Hippo
@RustyCrab @Inginsub I apologize I meant that if you're using vanilla C/C++ you are vulnerable to coding mistakes which just take more testing to catch, and static analysis isn't as good as it could be with other languages.
you can always write more unit tests, you can always do more integration testing, you can do staged rollouts.
I was listening to another video and apparently Crowdstrike for some reason is very hostile to the idea of staged rollouts, they have been asked and they were very vocally resistant. why??? -
Embed this notice
Rusty Crab (rustycrab@clubcyberia.co)'s status on Thursday, 08-Aug-2024 01:49:24 JST 
Rusty Crab
@Inginsub @sun seconded. You don't just crash every computer in the world except for your test setup. Even if that was the case, that's why you do slow rollouts to specific or low risk businesses first to see of anything goes wrong. This is deployment 101. -
Embed this notice
:ihavenomouth: (inginsub@clubcyberia.co)'s status on Thursday, 08-Aug-2024 01:49:25 JST 
:ihavenomouth:
@sun
>I don't see how you could prevent this using technical means
don't use regex in kernel
Also I'm not buying it, somehow it crashed virtually every windows machine but their test setup. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 01:58:27 JST
Pissed Hippo
@phnt @Inginsub @RustyCrab yeah I saw a document that showed they caused outages on linux every month for the past five months (just not literally every linux machine) -
Embed this notice
Phantasm (phnt@fluffytail.org)'s status on Thursday, 08-Aug-2024 01:58:29 JST 
Phantasm
@sun @Inginsub @RustyCrab
>I was listening to another video and apparently Crowdstrike for some reason is very hostile to the idea of staged rollouts, they have been asked and they were very vocally resistant.
They take pride in being one of the best EDR options and generally being very quick to respond to threats. And now it got to them.
The software itself has configurable policies for updates and when they should roll out to your machines, but Crowdstrike still has the ultimate option to completely bypass your own policies, which that update did. This has some usecases, but I would generally prefer an emergency mailing list that companies can subscribe to in case of some random 0day that is detected. Automatic updates on AD controllers is stupid.
They also have a history of breaking OS installs. Basically the same thing also happened this year to Debian and RHEL installs, but that mostly swept under the rug.Pissed Hippo likes this. -
Embed this notice
That Would Be Telling (thatwouldbetelling@shitposter.world)'s status on Thursday, 08-Aug-2024 02:08:44 JST
That Would Be Telling
@sun @lanodan "I don't see how you could prevent this using technical means"
Fuzzing is a thing. Generate perhaps all the inputs (there are domains where this is possible!) and see when it crashes. Cutest named one is https://en.wikipedia.org/wiki/American_Fuzzy_Lop_(software)
But as people have been pointing out, this is a company which in four months crashed four different operating systems, one of their selling points is doing more than Windows, they just didn't give a damn until it likely killed the company. It is after all a notoriously political company and was founded and is run by a Jew.
Haelwenn /элвэн/ :triskell: likes this. -
Embed this notice
Pissed Hippo (sun@shitposter.world)'s status on Thursday, 08-Aug-2024 02:08:44 JST
Pissed Hippo
@ThatWouldBeTelling @lanodan they claim they do fuzzing Haelwenn /элвэн/ :triskell: likes this.
All GNU social JP content and data are available under the