[Baguette5242]

Holy shit (hits the fan). For sure CrowdStrike will be held accountable in several countries, but I believe that some conclusions need to be drawn also from a customer/user perspective.

- Is it reasonable to grant such privilege access to a piece of software that ultimately is a black box ?

- Is it reasonable to put a Microsoft / Commercial / Closed source OS in critical infrastructure ? If not considered as critical, then “important” infrastructure ?

- Is it reasonable to have more than 70% of the computers/servers that run important infrastructure on the same OS / software ? How about the mitigation of the risks etc…

I sincerely hope that all of this CrowdStrike mayhem will push stakeholders to draw some conclusions and actions.

[defrost]

> Is it reasonable to grant such privilege access to a [ company ] that ultimately is a black box ?

This is common enough in the corporate world and precedence in similar circumstances will come into play in various lawsuits.

Examples:

XYZ Security Guards: a third party physical security provider that hires people to watch and patrol buildings, assets, with access to keys, timetables, security logs, etc.

ABC Armoured Transport: third party physical transport provider for cash, sensitive documents, etc.

When AcmeCorp Inc. hire XYZ & ABC it's on the basis of reputation, contracts, and things generally not to do with peeking inside how the cake is baked (hiring records, etc).

[tsimionescu]

Only your third point makes any sense. For the other two, obviously the answer is yes, that's entirely reasonable. Businesses and government organizations use plenty of commercial tools that they have no way of designing or understanding on their own. Software is no different from hardware from this point of view.

A hospital doesn't have, and couldn't use even if it did, the blueprints for an MRI machine or an old-fashioned iron lung. And those machines are built by commercial companies and contain plenty of trade secrets.

If anything, using open-source software that you maintain yourself in critical infrastructure is the more bizarre practice from a historical or industry-level perspective. Even in software, things like Solaris, IBM OSs etc. are much more common than OSS. And even when using FOSS, a commercial distribution like RHEL is far more common than using your own Linux.

[prmoustache]

But do we really need "trade secrets" as a society?

[tsimionescu]

Even if companies were forced to publish every detail of their devices (which is the only way to not have trade secrets), any decently complex products products would still be black boxes to every company who is not specialized in creating them.

Even something like a fountain pen is used as a black box, I'm not even talking of anything truly complex. Even the buildings we work in are black boxes that we get from third parties, not to mention all the systems powering and heating or cooling them.

[ta1243]

> - Is it reasonable to have more than 70% of the computers/servers that run important infrastructure on the same OS / software ? How about the mitigation of the risks etc…

This is the problem as far as I'm concerned. Industry "best practice" is "use the same thing everywhere"

A diverse ecosystem is the best defence.

You could run 100% FreeBSD and be hit by say a hidden kernel bug which occurs on Jan 15th 2027 when unix time goes from 1.7b to 1.8b (I've seen that code before where time is assumed to be below X)

If you run 50% FreeBSD and 50% Windows you will only lose half your service.

[chrisjj]

You would have a hard time denying 20% of users their first choice.

[llm_trw]

>- Is it reasonable to grant such privilege access to a piece of software that ultimately is a black box ?

As I said in the previous thread: explaining to execs that giving root to someone on your machines means they have root is a very difficult concept for them to understand.

[phito]

Then the exec should be held responsible?

[nichol4s]

The exec just follows the instructions provided by their CISO, who adheres to the information security standards used in audits.

These standards are influenced not only by actual threats but also by lobbying from Endpoint Detection and Response (EDR) systems like SentinelOne and Crowdstrike. For instance, in 2021, the White House issued Executive Order 14028, which mandates the Federal Government to implement a robust EDR solution. Consequently, standards such as those from NIST and ISO27001 have increasingly emphasized malware detection and response.

When onboarding any large enterprise, you will encounter these requirements before the enterprise can proceed with procuring your service. This compels B2B organizations to implement this software to be successful.

^1 https://www.opensecrets.org/federal-lobbying/clients/summary...

^2 https://www.opensecrets.org/federal-lobbying/clients/summary...

[dotancohen]

That responsibility (and associated risk) is often the justification for C compensation. Whether that is a good argument I have no opinion.

[mkayokay]

How about the good old analogy of giving your house/car/safe keys to a total stranger while going on vacation?

[openrisk]

Alas, you didn't need a global incident of this scope to draw those (perfectly valid) conclusions.

The hallmark of intelligence is to observe a situation and the structure of a system, reason about it, draw analogies with past experience and pre-emptively take corrective measures.

The stark truth is that we don't live in a "reasonable" world.

Poor governance, short termism, lack of transparency, incompetence, captured regulation, obsolete ideology etc. are not exceptions but rather the essence of how things "work".

The existential question is whether our demonstrable ability to achieve some learning will be sufficient to deliver solution on the face of increasing risks.

[lynx23]

EDRs are the devil's spyware. Especially since corporate "security" people are now pushing for EDRs to run on Linux. Argument is that the cloud nature of the thing makes it necessary that it runs everywhere. Fact is, since my company forced me to install this black box, my system is definitely less secure. Before that, I didnt have a single incoming port enabled. Now, my system talks to all sorts of external things which I have no knowledge about and no control over.

[tsimionescu]

If your system was processing any valuable information owned by the company (code, PII, etc) than the company is likely much safer today than it was when you had exclusive control over that system, even if they introduced several vulnerabilities. Previously, if you decided/were coerced to do something against the company's interests, you could do whatever you wanted from that system and they never would have even known. Now, they have some chance to prevent you from doing that, or at least find out in a reasonable amount of time.

Security is a complicated topic, and employees are also potential attack vectors. A system that is in the complete control of a malicious employee is a security problem for the company just as much as a system that was corrupted by an external cracker.

[lynx23]

Well, now we're getting somewhere. If my company distrusts me so much that it needs to put a black box in place to prevent me from fucking it over, it shouldn't hire me as an admin for tons and tons of infrastructure. Distrust goes both ways. Increase the pressure, and maybe, maybe, your employee will just leave for another company that doesn't behave that way (yet). The timing is great, because some employees still remember how they were treated during 2020/21.

[tsimionescu]

Any company that fully trusts all of its employees to handle my secrets is a company I don't want to do business with. I would bet you don't want, say, every hospital janitor to have access to your personal medical records either. So, you probably also want the hospital not to trust its employees and to keep certain data under lock and key. Same with a bank and your money.

It's no different with software.

[quantum_state]

None of them is reasonable. Open source and regulation on software safety is required. The society at large has been too lenient with poor quality software.

[tracker1]

And the solution to that may be worse. Do you want to saddle all open-source with strict regulatory compliance on safety?

[monkeydust]

> Is it reasonable to grant such privilege access to a piece of software that ultimately is a black box ?

According to Microsoft its not but they were forced to. Interesting how the EU executive is now getting mixed up in this saga: https://www.euronews.com/next/2024/07/23/european-commission...