This weekly roundup thread is intended for all culture war posts. 'Culture war' is vaguely defined, but it basically means controversial issues that fall along set tribal lines. Arguments over culture war issues generate a lot of heat and little light, and few deeply entrenched people ever change their minds. This thread is for voicing opinions and analyzing the state of the discussion while trying to optimize for light over heat.
Optimistically, we think that engaging with people you disagree with is worth your time, and so is being nice! Pessimistically, there are many dynamics that can lead discussions on Culture War topics to become unproductive. There's a human tendency to divide along tribal lines, praising your ingroup and vilifying your outgroup - and if you think you find it easy to criticize your ingroup, then it may be that your outgroup is not who you think it is. Extremists with opposing positions can feed off each other, highlighting each other's worst points to justify their own angry rhetoric, which becomes in turn a new example of bad behavior for the other side to highlight.
We would like to avoid these negative dynamics. Accordingly, we ask that you do not use this thread for waging the Culture War. Examples of waging the Culture War:
-
Shaming.
-
Attempting to 'build consensus' or enforce ideological conformity.
-
Making sweeping generalizations to vilify a group you dislike.
-
Recruiting for a cause.
-
Posting links that could be summarized as 'Boo outgroup!' Basically, if your content is 'Can you believe what Those People did this week?' then you should either refrain from posting, or do some very patient work to contextualize and/or steel-man the relevant viewpoint.
In general, you should argue to understand, not to win. This thread is not territory to be claimed by one group or another; indeed, the aim is to have many different viewpoints represented here. Thus, we also ask that you follow some guidelines:
-
Speak plainly. Avoid sarcasm and mockery. When disagreeing with someone, state your objections explicitly.
-
Be as precise and charitable as you can. Don't paraphrase unflatteringly.
-
Don't imply that someone said something they did not say, even if you think it follows from what they said.
-
Write like everyone is reading and you want them to be included in the discussion.
On an ad hoc basis, the mods will try to compile a list of the best posts/comments from the previous week, posted in Quality Contribution threads and archived at /r/TheThread. You may nominate a comment for this list by clicking on 'report' at the bottom of the post and typing 'Actually a quality contribution' as the report reason.
Jump in the discussion.
No email address required.
Notes -
If what is being is reported is true and they released some unrunnable or improperly formatted file, I can’t even comprehend that level of incompetence. There is a lot of bullshit at my company which is also dealing with many of the issues you’ve addressed in your post, and of course we have incidents, but something so basic being released with such insane permissions would not be possible at my workplace. Of course that’s discounting any malicious actor, but the number of QA cycles and slow rollout that we go through would have caught something like this 5 weeks before it sniffed release.
Something or someone is deeply rotten at crowdstrike. They need to make a big-time firing or I predict that people will start fleeing in droves.
They don't stage releases sending them out to limited groups one at a time? They do one global update and hope for the best?
There's such obvious ways to limit the impact of this sort of screwup.
I'm going to play Karnak the Magnificent here and say they do indeed do staged rollouts.
They just don't properly check if one stage has succeeded before moving on to the next.
More options
Context Copy link
Rumors suggest that it may have been rolled out Friday morning local time.
Of course, a slow rollout is pointless if you have no canary process and no means of determining if you just bricked all Australia...
More options
Context Copy link
More options
Context Copy link
This seems to me like a fairly usual level of competence from a bolt-on-security-as-a-product or compliance-as-a-service company. Examples:
It's not that it's amateur hour specifically at CrowdStrike. It's the whole industry.
A general rule: the further a software product is away from "engineering candy", the worse it is.
Software engineers are some of the most entitled, overpaid people on the planet. (I should know!) They have lots of career options.
To get good engineers you need to either pay an outrageous salary or have an interesting product like a video game. Want to find engineers to work on your compliance software? Good luck. Hell, even Google engineers making 400k/year can't be bothered to work on essential but boring products, preferring instead to chase shiny baubles.
No one wants to do the dirty work where good job means not messing up.
I think the problem is that "good job" doesn't mean "not messing up" in the context of these compliance-as-a-service or security-blanket-as-a-service companies. Instead, "good job" is "implement as many features as possible to a level where it's not literally fraud to claim your product has thay feature, and then have a longer checklist of supported features in your product than the competition has so the MBA types choose your product".
CrowdStrike's stock price is only down by about 10% today on one of the highest-impact and highest-profile incidents of this type I've seen. I'm pretty sure their culture of "ship it even if it's janky and broken" has netted them more than a 10% increase in net revenue, so it's probably net positive to have that kind of culture.
Their net revenue is under a billion a year. The total economic damage caused by this single bug is almost certainly larger than the total net income of the entire history of the company. In fact, it is almost certainly larger than the total gross income of the entire history of the company. I do not know where the valuation is coming from, but it certainly isn't from their revenue figures.
Lol P/E of 644.
But it's a hyper-growth company bro, surely they'll be able to pivot to making money once they've captured the full market bro.
More options
Context Copy link
Yeah but if they're not liable what relevance does that have to their share price?
I don't know if they're liable or not. I doubt Crowdstrike knows if they're liable or not.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
I mean, you could get good engineers with a video game project, but for that you have to be willing to also pay them the outrageous salary. Video game projects are more art than engineering, requiring more designers than engineers. And the brilliant engineers won't work for that much below market rate; if that were their goal they'd go into research or try to get into an early-stage startup, not join a project that's just the application of an existing engine to a new gameplay design. The game projects that appeal to engineers don't sell enough for AAA development, they're nerd games like Factorio or RimWorld (sorry friends).
Not that game companies don't capitalize on the appeal of their projects to talent. They just capitalize by taking lower-tier but motivated engineers/artists/designers and running them into the ground.
More options
Context Copy link
More options
Context Copy link
I have always been of the opinion that antivirus is a poor idea, and at best, a half-baked solution preventing you from adopting better solutions, such as sandboxing/virtualization and general human security hygiene. I haven't run an antivirus (besides Windows's built-in Defender) in years on any of my computers or phones, and I've never gotten malware on my systems simply because I don't open any sketchy apps or files, and if I do, it's in a virtual machine isolated from the rest of my system.
That an entire industry (the antivirus industry) exists based on the premise of a bad idea that is not only ineffective but adds massive attack surface simply because attackers can exploit what is essentially a privileged system component with deep access to all parts of the system - a cure worse than the disease - should be a lesson in how easy it is for someone to get the basics of a skill (such as security) wrong.
The problem is that simply receiving a text may count as "opening a sketchy file". You really can't expect every boomer pecking at a computer to know the ins and outs of security.
This is not to defend this particular software, but your view leaves out some things as well.
Bad example? If you're targeted with zero-days like Pegasus, an antivirus software is not going to stop it. In fact the standard defense for this sort of thing is what I've advocated - isolation of system components via sandboxing/virtualization. I'm not sure what your argument is.
AV can at least detect anomalous network traffic or unexpected processes, which is obviously not as good as preventing the infection in the first place but is still valuable.
In this case, the systems were sandboxed - FORCEDENTRY escaped the sandbox. Sandboxing isn't a magical technology without vulnerabilities.
Would antivirus have actually detected this infection? Ignoring the fact that phones don't usually run antivirus (because they employ sandboxing security measures), in the case of FORCEDENTRY, the exploit was discovered because Citizen Lab specifically examined the phone of an anonymous Saudi activist. They don't say what exactly led to the phone being examined by them, but I'm willing to bet that it exhibited signs of infection that any general-purpose antivirus like McAfee wouldn't have detected.
Yes, sandboxing technology can still be vulnerable, but antiviruses are not a better security practice than sandboxing. Moreover - since you brought up a targeted spyware attack - if you're being specifically targeted by nation-state actors aided by NSO Group, you need to up your security anyways. So your comment that
immediately after discussion of FORCEDENTRY confused me, because if your threat model includes zero-day attacks like FORCEDENTRY (for example, you're a political activist, journalist, or whistleblower), then yes, I do expect such a person to know the ins and outs of security. They should stay on top of their game, because their life literally depends on it. At that level of threat modeling, if you're genuinely worried about attacks from well-funded nation-states, then security is not something you can just ignore and expect to have taken care of for you.
It's not one or the other.
Bringing this up as an example was my mistake since it seems to have derailed the conversation.
There are plenty of vulnerabilities out there that are not zero days. There are plenty of systems out there that are vulnerable to such attacks. Not everything is patched as soon as the CVE is published and not every system is updated as soon as the patch is published. It's a simple fact of life that there is a time period between a vulnerability being disclosed and all systems being updated, even if those systems are enrolled in some kind of regular update scheme. Arguing against the need for at least detection and monitoring for threats because you have a lot of faith in sandboxing does not make sense.
Yes, you need to detect and monitor threats. But no, an antivirus is not the sole solution for doing so and I have doubts that an antivirus alone is an adequate solution for this task. I am not arguing against the need for detection and monitoring, and there are better ways to do detection and monitoring that don't come with the added attack surface of an antivirus.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
I incidentally just learned about the Okta breach yesterday simply by getting frustrated with it and searching on Twitter evidence on whether everyone else hates using it continuously as much as I do.
I have the opinion that the more data you give out, the more likely it will just get breached. Especially personal data meant to authenticate your identity. The best thing to do would be to not give data out at all - data that doesn't exist, can't be stolen - but most of the rest of the world doesn't think the same way, and are extremely unlikely to question why we have normalized people giving away their data without a second thought.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
It's mid-July. Likely an intern bypassing a safety check to try to get his project completed on time.
More options
Context Copy link
Don't they deploy updates like this in a development evironment first to test for exactly this kind of thing? I work in very low-level, mostly unimportant IT and I sweat breaking a single website that gets 100 visitors per month. How does something as big as this not get tested first?
More options
Context Copy link
I thought this is exactly why they rollout updates instead of distributing them all at once. Do we know for sure there was a rollout or could they have mistakenly pushed this everywhere at once?
In this case I think it depends on what is being pushed. You have to keep in mind that this is a security tool specifically promising and designed to implement rapid defense against zero-day security exploits. Holding off for a week or so on a threat under active exploitation is not what they are being paid for.
Yeah, the paranoid option is that there was some serious zero-day that they were trying to react against, it worked fine on the development environment, and they made a tradeoff of the risk of this sort of incident against not pushing the big red button.
But being derpy is always an option.
More options
Context Copy link
That’s a good point, but they have to have some kind of staging environment or slow rollout right? You can’t just release to all customers at once, that’s absolutely insane and asking for something like this to happen even if it’s security-critical.
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link
More options
Context Copy link