And keep in mind, the falcon sensor exists for Linux. All those big companies largely use it.
Essentially we just got lucky that their buggy patch only affected the windows version of the sensor in a showstopping way. Could have been all major OS.
On one hand I hope people are smart enough to run updates to critical systems on a test environment, first. On the other hand I’ve learned that that is not at all the case yesterday.
Many security products have no test option. One I’m using has a best practice of a 15 minute delay between test and prod and no automation to suspend besides relying on the vendor to pull the update it within 15 mins if it were to go full crowdstrike.
The problem her was that this wasn’t a traditional update. It was delivered automatically as a “content” update (like how old av would have definition update). We were given no room to test.
I don’t think the Linux culture is very similar to the windows culture. At least for me personally, I wouldn’t use crowdstrike and let them install whatever they want into my environment.
It’s not your machine, your choice of distro, or your choice of specific packages to use or not use. It’s a work tool you get handed as part of a job. So whether CrowdStrike runs on it or not is not your decision and you aren’t allowed (and usually not capable) to change that.
That’s an entirely different situation from one where you get a PC to do with as you please and set up yourself, or a private machine.
Plus we’re mostly talking endpoint devices for non-technical users with many of these difficult-to-fix devices as techs have to drive out to them. The users expect a tool, and they get a tool. A Linux would be customized and utterly locked down, and part of that would be the endpoint protection software.
And keep in mind, the falcon sensor exists for Linux. All those big companies largely use it.
Essentially we just got lucky that their buggy patch only affected the windows version of the sensor in a showstopping way. Could have been all major OS.
This mastodon user claims otherwise:
https://nondeterministic.computer/@mjg59/112816011370924959
That’s only true if you run falcon-sensor in ebpf and not kmod mode.
The issuw didn’t affect Linux and macOS systems with Crowdstrike Falcon installed, though, only Windows systems.
On Windows, booting into Safe Mode and removing
C:\Windows\System32\Drivers het bestand C-00000291*.systemporarily solves the BSOD issue, as well.The point is that it could have. Or maybe some unknown 0-day gets used by someone out to cause chaos instead of collect random.
That’s true
On one hand I hope people are smart enough to run updates to critical systems on a test environment, first. On the other hand I’ve learned that that is not at all the case yesterday.
Many security products have no test option. One I’m using has a best practice of a 15 minute delay between test and prod and no automation to suspend besides relying on the vendor to pull the update it within 15 mins if it were to go full crowdstrike.
The problem her was that this wasn’t a traditional update. It was delivered automatically as a “content” update (like how old av would have definition update). We were given no room to test.
Yep I know
I don’t think the Linux culture is very similar to the windows culture. At least for me personally, I wouldn’t use crowdstrike and let them install whatever they want into my environment.
Maybe it’s just me.
It’s not your machine, your choice of distro, or your choice of specific packages to use or not use. It’s a work tool you get handed as part of a job. So whether CrowdStrike runs on it or not is not your decision and you aren’t allowed (and usually not capable) to change that.
That’s an entirely different situation from one where you get a PC to do with as you please and set up yourself, or a private machine.
Plus we’re mostly talking endpoint devices for non-technical users with many of these difficult-to-fix devices as techs have to drive out to them. The users expect a tool, and they get a tool. A Linux would be customized and utterly locked down, and part of that would be the endpoint protection software.