[xyst]

“Technical” detail report reads more like a lawyer generated report. This company is awful.

If I ever get a sales pitch from these shit brains, they will get immediately shut down.

Also fuck MS and their awful operating system that then spawned this god awful product/company known as “CrowdStike Falcon”

[robjan]

You are probably not the target market of this product then. The real product CrowdStrike Falcon sells is regulatory compliance and it's a defacto requirement in many regulated industries including banking.

By the way, Falcon can be and is deployed to Linux and MacOS hosts in these organisations too it's just that this particular incident only affected Windows.

[hello_moto]

2 things:

1. critical infrastructure around the globe seemed to depend on CrowdStrike

2. "If I ever get a sales pitch from..." suggested you are in an environment that is far from critical infrastructure.

[userbinator]

If Windows wasn't as popular, then this might've happened to Linux to macOS instead. Blame CrowdStrike's incompetence, not MS.

[acdha]

It couldn't happen on macOS: Apple stopped letting third-parties run code in the kernel after years of failures like this.

It also wouldn't happen on Linux: they use eBPF there which was designed by grownups and validates its inputs.

[mynameisvlad]

eBPF exists on Windows, too: https://microsoft.github.io/ebpf-for-windows/

They’re just not using it. They could have not used it for Linux too. The presence of the feature is not enough to guarantee this would’ve never happened in a hypothetical.

[acdha]

No, the fact that they’re actually using eBPF on Linux is what makes it safer. None of this is magic, it’s just a question of following decades of engineering experience.

Similarly, Microsoft clearly sees the benefits but note that they themselves say that’s not production ready yet. I’m certain that this incident will cause people to consider migrating as soon as that changes.

[mynameisvlad]

You’re responding to a hypothetical, not what happened.

Let’s say Linux is the leading OS around the world. How can we be sure that they would actually use eBPF if this was the case?

They would likely choose the fastest option in order to support the platform as quickly as possible. Perhaps eBPF didn’t even exist if they prioritized Linux support and implemented that first, since Falcon was first released in 2013 and eBPF in 2014.

Switching from kernel mode to eBPF would be quite a lift, so if it wasn’t baked in from the start it likely wouldn’t have been added in after the fact.

A decade worth of changes is a lot to confidently say what would have happened. If Linux and MacOS were more popular than Windows, it could have been completely different.

This doesn’t even touch on the massive Debian incident CS had earlier this year, which is not a hypothetical.

[acdha]

They are using eBPF right now. That suggests that they, like everyone else, see benefits in using a platform feature when it exists.

[j16sdiz]

Kext still exist on macos

[acdha]

Kind of: they’ve been deprecated for 4 years and you have to disable SIP to load them.

https://developer.apple.com/support/kernel-extensions/

They’ve added system extension mechanisms for the most common needs trying to balance the various things people use kexts for against the impact on security, performance, and reliability many kexts had.