[dagaci]

I think you represent the schism in your own post. Retail is hyper focused on the name Microsoft and Windows. But the enterprise and technical people are focused on rolling back a bad CrowdStrike bad update. They will spend hours and even days focusing on doing that, asking why they were vulnerable to such an update and what they should have done to avert being vulnerable to a bad update.

And for them it will be a bit of a stretch to say Microsoft should have stopped us deploying CrowdStrike. I’m sure Microsoft would love to do just that and sell its own Microsoft Solution.

Now if enterprises decide to run only Linux, BSD, or MacOS would they have been invulnerable to a bad CrowdStrike update: https://www.google.com/search?q=crowdstrike+kernel+panic

No so your entire premis is fully invalidated by a single google search.

On the other had I do feel Microsoft does have life far too easy in so many enterprises, but the fault here lies as much with the competition.

[gred]

> it will be a bit of a stretch to say Microsoft should have stopped us deploying CrowdStrike

I read GP's post to mean that if you take a step back, Windows' history of (in)security is what has led us to an environment where CrowdStrike is used / needed.

[rfoo]

Well, then why would we have Linux and macOS versions of CrowdStrike Falcon Sensor (tm), too?

[rietta]

I can answer this. For the same reason I have run ClamAV on Linux development workstations. Because without it, we cannot attest that we have satisfied all requirements of the contract from the client's security organization.

Also if you are a small business and are required to have cybersecurity liability insurance, the underwriter will require such sensors to be in place or you will get no policy.

[usefulcat]

If said underwriters don't typically cover things like the current CrowdStrike problem, that seems like a pretty big case of misaligned incentives.

[berkes]

For the same reasons there's antivirus software for Mac and Linux.

People coming from Microsoft systems just expect it to be required, so there's demand for it (demand != need). And in hybrid environments it may remove a weak link: e.g. a Linux mailserver that serves mail to Windows users best has virus detection for windows viruses.

[TheNewsIsHere]

I’m not defending CrowdStrike here. This is a clearly egregious lack of test coverage, but CrowdStrike isn’t “just” antivirus. The Falcon Sensor does very useful things beyond that, like USB device control, firewall configuration, reporting, etc.

If your use case has a lesser need for antimalware you might still deploy CrowdStrike to achieve those ends. Which help to lessen reliance on antimalware as a singular defense (which of course it shouldn’t be).

[berkes]

I know it isn't just antivirus. I was merely drawing a simpler analogy.

[klooney]

It's not just those darn windows admins. Alot of the certifications customers care about- SOC II, ISO whatever, FedRamp, have line items that require it.

[raffraffraff]

I've had to install server antivirus onto my Linux laptop at 4 different companies. Every time it's been a pain in the ass because the the only antivirus solutions I've found for Linux assume that "this must be a file server used by Windows clients". None of them are actually useful, so I've installed them and disabled them. There, box-checking exercise done.

[buran77]

> For the same reasons there's antivirus software for Mac and Linux.

Because they can also get malware or could use the extra control CS provides, and the "I'm not a significant target so I'm safe" is not really a solid defense? Bad quality protection (as exemplified by the present CS issues) isn't a justification for no protection at all.

Would you ignore the principle of least privilege (least user access) and walk around with all the keys to the kingdom just because you're savvier than most at detecting an attack and anyway you're only one person, what are the chances you're targeted? You're the Linux/MacOS of the user world, and "everyone knows those principles are only for the Windows equivalent of users".

[berkes]

I'm not arguing that Linux or Mac need no protection.

There are serious threats to any Linux machine. And if you include Android, there are probably far more Linux machines out there. Hell, including their navigation, router, NAS, TV, and car, my 70+ yo mom runs at least 5 Linux machines at her home. It's a significant target. And Mac is quite obviously a neat target, if only because the demographic usually has higher income (hardly any Bangladeshi sweatshop worker will put down the cash to buy a MacBook or iphone. But might just own an Android or windows laptop)

I'm arguing that viruses aren't a threat, generally. Partly due to the architecture, partly due to their useage.

[giaour]

Neither Linux nor OSX are immune to viruses, though malware is more commonly written to target Windows given its position in the market. Both iOS and Android are frequent malware targets despite neither being related to Windows, and consequently, both have antivirus capabilities integrated deeply into both the OS and the app delivery ecosystem.

Any OS deployed on a user device needs some form of malware protection unless the device is blocked from doing anything interesting. You can generally forgo anti-malware on servers that are doing one thing that requires a smaller set of permissions (e.g., serving a website), but that's not because of the OS they are running.

[jtbayly]

Wut?

You can’t run ClamAV on iPhone, can you?

[giaour]

No, ClamAV doesn't have an iOS version. There are plenty of iOS-specific AV programs available if you need one, though.

[astura]

It's not just fake demand, it's required in most instances (example- STIG requirements)

[sam_lowry_]

fake requirements?

[sam_lowry_]

I spent some time on STIG website out of curiosity. There seem to be down-to-earth practical requirements but only for Windows, cf. https://public.cyber.mil/stigs/gpo/

Why does it justify running antiviri on Linux is beyond my understanding.

Weak, impotent, speechless IT personnel that can not face off incompetence?

[wpm]

Except at least on the Mac, your AV software is unlikely to be part of the boot process, and doesn't run in the kernel.

Shit like today is precisely why Apple kicked Mac developers out of kernel-space for the most part.

[mbreese]

Windows IT admins who don’t use or understand Linux/Mac. Who also buy at the enterprise level. And who probably have to install (perhaps unnecessary) endpoint protection to satisfy compliance checklists.

The amount of Windows centric IT that gets pushed to Linux/Mac is crazy. I’ve been in meeting where using Windows based file storage was discussed at a possibility for an HPC compute cluster (Linux). And they were being serious. This was in theory so that central IT could manage backups.

[oneeyedpigeon]

To make money? Just because CrowdStrike is available for Linux and Mac doesn't mean that a) people buy and use it in substantial numbers b) people need to buy it. It would be interesting to hear from someone using CrowdStrike in a Linux/Mac environment.

[ljm]

Had it on my Mac a few years back and my long-lasting memory of it was how it:

a) slowed down the performance of my machine to a crawl in a NodeJS project

b) had my laptop fans spinning at full blast 24/7, even waking up the laptop overnight to do it

It was purely for compliance, but I also got the impression that it was a bloated enterprise solution for the problem.

[vladvasiliu]

We run Crowdstrike on Linux and Macs so that we can tick some compliance checkbox.

Fun fact: they’ve recommended we don’t install the latest kernel updates since they usually lag a bit with support. We’re running Ubuntu LTS, not some bleeding edge arch. It now supports using ebpf so it’s somewhat better.

[onewheeltom]

CS installed on my managed Mac. Generally no problems except randomly network stops working. Fixed by waiting.

[skywhopper]

The policies are written by folks who have no understanding of different operating environments. The requirement "All servers and workstations must have EDR software installed" leads to top-level execs doing a deal with Crowdstrike because they "support" Linux, Mac, and Windows. So then every host must have their malware installed to check the box. Doesn't matter if it's useful or not.

[rietta]

Indeed and insurance too. For our business, our professional errors and omissions coverage for years had the ability to cover cyber issues. No more. That requires cybersecurity insurance and the underwriters will not entertain underwriting a policy unless EDR is in place. They don't care if you are running OpenBSD and are an expert in cybersecurity who testifies in court cases or none of that. EDR from our list or no insurance.

[renewedrebecca]

Because of Security Theater.

[LtWorf]

So that work can't progress too fast?

[p_l]

For macOS? Because without it you don't have certain monitoring and compliance capabilities that are standard built-ins in windows, plus for windows/linux/mac the monitoring capabilities are all useful and help detect unwanted operation.

[Aaronstotle]

Because it will look very bad if you answer, "No, our company has no Anti-virus because we are a macOS shop" on a security questionnaire

[thaumasiotes]

> I read GP's post to mean that if you take a step back, Windows' history of (in)security is what has led us to an environment where CrowdStrike is used / needed.

Windows does have a history of insecurity, but it is no different from any other software in this regard. The environment would be the same in the absence of Windows.

Attacks are developed for Windows because attacks against Windows are more valuable -- they have a large number of potential targets -- not because they're easier to develop.

[lizknope]

In the case of a bad Linux kernel update I would just reboot and pick the previous kernel from the boot menu. By default most Linux distributions keep the last 3. I'm not an IPMI remote management expert but it may be possible to script this.

All my machines at home run Linux except for my work laptop. It is stuck in this infinite blue screen reboot loop. Because we use Bitlocker I can't even get it into safe mode or whatever to delete the bad file. I think IT will have to manually go around to literally 8,000 work laptops and fix them individually.

[t_spins]

You would "just pick the previous kernel from the boot menu". That's funny, cause in this case you could "just delete the file causing the issue." Anything can sound easy and simple if you state it that way.

How do you access the boot menu for a server running in the cloud, which you normally just SSH into (RDP in Windows' case)?

About your last paragraph: we have just started sending out the bitlocker keys to everyone so it can be done by them too. Surely not best practice, but it beats everyone having to line up at the helpdesk.

[cesarb]

> You would "just pick the previous kernel from the boot menu". That's funny, cause in this case you could "just delete the file causing the issue." Anything can sound easy and simple if you state it that way.

One small difference, is that choosing the kernel from the boot menu is done before unlocking the encrypted drive, so no recovery keys would be necessary. And yes, choosing an entry from a menu (which automatically appears when the last boot has failed) is simpler than entering recovery mode and typing a command, even without disk encryption.

A better analogue would be a bad update on a non-kernel package which is critical to the boot sequence, for instance systemd or glibc. Unless it's one of the distributions which snapshot the whole root filesystem before doing a package update.

[__MatrixMan__]

NixOS boots to a menu of system configuration revisions to chose from which includes any config change, not just kernel updates.

It's not filesystem snapshots either. It keeps track of input parameters and then "rebuilds" the system to achieve the desired state. It sounds like it would be slow, but you've still got those build outputs cached from the first time, so it's quite snappy.

If you took a bad update, and then boot to a previous revision, the bad update is still in the cache, but it's not pointed to by anything. Admittedly it takes some discipline to maintain that determinism, but it's discipline that pays off.

[rewgs]

I hate to be the guy that's like "Nix is the solution," but...Nix is the solution.

Nearly every corporate machine that needs to run Windows should run it as a VM on a NixOS base, unless there is an extremely good reason not to.

[__MatrixMan__]

Progress is slow, but eventually there will be nix on windows: https://discourse.nixos.org/t/nix-on-windows/1113/117 (fingers crossed).

I don't expect to use it much myself but I love the idea of reducing the OS to an interchangeable part. What matters is the software and its configuration. If windows won't boot for some reason, boot to the exact same environment but on a different OS, and get on with your day.

If something is broken about your environment, fix it in the code that generates that environment--not by booting into safe mode and deleting some file. Tamper with the cause, not with the effect. Cattle, not pets, etc.

This sort of thing is only possible with nix (and maybe a few others) because elsewhere "the exact same environment" is insufficiently defined, there's just not enough information to generate it in an OS-agnostic way.

[lizknope]

I can't delete a file if the machine doesn't finish booting. Unless you are suggesting removing the drive and putting it in another machine. That requires a screwdriver and 5 minutes vs. the 10 seconds to reboot and pick a different kernel.

I'm not talking about the cloud. I am talking about the physical machines sitting in front of me specifically my work laptop.

I am an integrated circuit computer chip designer, not a data center IT person. I have seen IPMI on the servers in our office. Do cloud data centers have this available to people?

I have a cheap cloud VM that I pay $3.50 a month. I normally just SSH in but if I want to install a new operating system or SSH is not responding then I log in to the web site and get a management console. I can get a terminal window and login, I can force a reboot, or I can upload an ISO image of another operating system and select that as the boot device for the next reboot and install that.

Does your cloud service not have something like this?

I don't know what our corporate IT dept wants to do. We all work from home on Friday and I can't login to check email so I'll just wait until Monday as there is nothing urgent today anyway.

[squeaky-clean]

Booting into safe mode still works to delete the bad file.

[lizknope]

The OS drive is encrypted with Bitlocker. I've seen another thread where corporate IT departments were giving out the recovery key to users. I don't need to get anything done today. I'll go into the office on Monday and see what they say.

[j33zusjuice]

Idk if this is a serious question, but you just turn on console access in the cloud provider. It’s super easy. Same concept as VMWare. It’s possible that not all cloud providers do that, I suppose.

[vel0city]

The biggest cloud providers out there (AWS, Azure, GCP) don't.

[kelsey98765431]

> How do you access the boot menu for a server running in the cloud, which you normally just SSH into (RDP in Windows' case)?

They just said IMPI.

[AgentME]

MacOS has been phasing out support for third-party kernel extensions and CrowdStrike doesn't use a kernel extension there according to some other posts.

[mbreese]

I’m convinced that one reason for this move by Apple was poor quality kernel extensions written by enterprise security companies. I had our enterprise virus/firewall program crash my Mac all the time. I eventually had to switch to a different computer (Linux) for that work.

It wasn’t Crowdstrike, but quality kernel level engineering isn’t was I think of when I think of security IT companies.

But, also credit Apple here. They’ve made it possible for these programs to still run and do their jobs without needing to run in kernel mode and be susceptible to crashes.

[nijave]

Not only security software, but really any 3rd party drivers have caused issues on Windows for years. Building better interfaces less likely to crash the kernel was a smart move

[drewg123]

When I started doing driver development on MacOS X in the early 2000s, there were a number of questions on the kernel/driver dev mailing lists for darwin from AV vendors implementing kernel extensions. Most of them were embarrassing questions like "Our kernel extension calls out to our user level application, and sometimes the system deadlocks" that made me resolve to never run 3rd party AV on any system.

[nijave]

Whether you like macOS or not, they definitely are innovating in this space. They (afaik) are the only OS with more granular data access for permissions as well (no unfettered filesystem access by default, for instance)

It's also a shame CrowdStrike doesn't take kernel reliability seriously

[eightysixfour]

I'm sorry, restricting user's ability to change their computer is not innovation. It is paternalism.

[bsharper]

The user can change anything they want, but a process launched by your user doesn't inherit every user access by default. You (the user) can give a process full disk access, or just access to your documents, or just access to your contacts, etc. It's maximizing user control, not minimizing it.

[eightysixfour]

I am talking about removing the ability to install kernel extensions.

As for full disk access, go try and remove Photo Booth from you Mac.

[wtallis]

The user isn't being restricted. Third-party software is being restricted, by default, and those restrictions can be disabled by the user.

[samcat116]

This is a feature not a bug in the enterprise.

[jazzyjackson]

https://learn.microsoft.com/en-us/defender-endpoint/enable-c...

[nijave]

Appears to be opt in vs opt out. I'm curious how many orgs use this

[fsflover]

Qubes OS has a better model, security by compartmentalization: everything runs in separate VMs with hardware virtualization.

[throwaway48476]

Qubes is great but no desktop GPU supports virtualization.

[klodolph]

I could be happy if the GPU was only used for compositing.

If I were doing ML work, maybe I do that work in an ephemeral cloud environment.

I know this doesn’t cover everyone’s use case, but it doesn’t have to.

[wolrah]

> Qubes is great but no desktop GPU supports virtualization.

Intel 12th-gen and newer iGPUs do, and AFAIK it can be unlocked on certain Arc cards as well but details are fuzzy.

[fsflover]

They plan to add GPU acceleration in the next release: https://github.com/QubesOS/qubes-issues/issues/8553

See also: https://www.youtube.com/watch?list=PLQMQQsKgvLntZiKoELFs22Mt...

[wtallis]

> They plan to add GPU acceleration in the next release: https://github.com/QubesOS/qubes-issues/issues/8553

You say they're planning to add a feature in the next release, but what you linked to is merely an uncompleted to-do item for creating a UI switch to toggle a feature that hasn't been written yet. I think you win the prize for the most ridiculous exaggeration in this thread. Unless you can link to something that actually comes anywhere close to supporting your claim, you're just recklessly lying.

[reginald78]

Am I missing something? This is to add a toggle button and the developers say they are blocked because GPU acceleration feature doesn't exist so the button wouldn't be able to do anything.

[nijave]

Android and iOS have compartmentalization as well but it's not hardware level (at least as far as I know).

[dagaci]

https://www.dropboxforum.com/t5/Apps-and-Installations/New-D...

Is this happening with or without kernel extensions?

[ehutch79]

Also, it does actually work on MacOS despite this. We’ve had it catch someone getting malware.

[graemep]

The issue with Crowdstrike on Linux did not cause widespread failures, so its clear that the majority of enterprises that do run their servers on Linux were not affected. They were invulnerable because they do not need Crowdstrike or similar.

Linux (or BSD) servers do not usually require third party kernel modules. Linux desktops might have the odd video driver or similar.

[miah_]

Crowdstrike on Linux is only useful for appeasing corporate auditors, and making Crowdstrike money.

[pepa65]

If you ran "only Linux, BSD, or MacOS" on a Microsoft hypervisor, yes. I would never recommend that, and your link exemplifies one reason why.

[Vilian]

The difference is that i van easily rollback a linux system, a complete update too, nota on windows