All our servers and company laptops went down at pretty much the same time. Laptops have been bootlooping to blue screen of death. It’s all very exciting, personally, as someone not responsible for fixing it.

Apparently caused by a bad CrowdStrike update.

Edit: now being told we (who almost all generally work from home) need to come into the office Monday as they can only apply the fix in-person. We’ll see if that changes over the weekend…

  • jedibob5@lemmy.world
    link
    fedilink
    English
    arrow-up
    220
    arrow-down
    3
    ·
    5 months ago

    Reading into the updates some more… I’m starting to think this might just destroy CloudStrike as a company altogether. Between the mountain of lawsuits almost certainly incoming and the total destruction of any public trust in the company, I don’t see how they survive this. Just absolutely catastrophic on all fronts.

    • NaibofTabr@infosec.pub
      link
      fedilink
      English
      arrow-up
      128
      ·
      5 months ago

      If all the computers stuck in boot loop can’t be recovered… yeah, that’s a lot of cost for a lot of businesses. Add to that all the immediate impact of missed flights and who knows what happening at the hospitals. Nightmare scenario if you’re responsible for it.

      This sort of thing is exactly why you push updates to groups in stages, not to everything all at once.

      • rxxrc@lemmy.mlOP
        link
        fedilink
        English
        arrow-up
        78
        ·
        5 months ago

        Looks like the laptops are able to be recovered with a bit of finagling, so fortunately they haven’t bricked everything.

        And yeah staged updates or even just… some testing? Not sure how this one slipped through.

        • dactylotheca@suppo.fi
          link
          fedilink
          English
          arrow-up
          132
          arrow-down
          1
          ·
          5 months ago

          Not sure how this one slipped through.

          I’d bet my ass this was caused by terrible practices brought on by suits demanding more “efficient” releases.

          “Why do we do so much testing before releases? Have we ever had any problems before? We’re wasting so much time that I might not even be able to buy another yacht this year”

            • dactylotheca@suppo.fi
              link
              fedilink
              English
              arrow-up
              42
              ·
              5 months ago

              Certainly not! Or other industries for that matter. It’s a good thing executives everywhere aren’t just concentrating on squeezing the maximum amount of money out of their companies and funneling it to themselves and their buddies on the board.

              Sure, let’s “rightsize” the company by firing 20% of our workforce (but not management!) and raise prices 30%, and demand that the remaining employees maintain productivity at the level it used to be before we fucked things up. Oh and no raises for the plebs, we can’t afford it. Maybe a pizza party? One slice per employee though.

        • Confused_Emus@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          One of my coworkers, while waiting on hold for 3+ hours with our company’s outsourced helpdesk, noticed after booting into safe mode that the Crowdstrike update had triggered a snapshot that she was able to roll back to and get back on her laptop. So at least that’s a potential solution.

    • RegalPotoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      50
      arrow-down
      2
      ·
      5 months ago

      Agreed, this will probably kill them over the next few years unless they can really magic up something.

      They probably don’t get sued - their contracts will have indemnity clauses against exactly this kind of thing, so unless they seriously misrepresented what their product does, this probably isn’t a contract breach.

      If you are running crowdstrike, it’s probably because you have some regulatory obligations and an auditor to appease - you aren’t going to be able to just turn it off overnight, but I’m sure there are going to be some pretty awkward meetings when it comes to contract renewals in the next year, and I can’t imagine them seeing much growth

      • Skydancer@pawb.social
        link
        fedilink
        English
        arrow-up
        23
        arrow-down
        1
        ·
        5 months ago

        Nah. This has happened with every major corporate antivirus product. Multiple times. And the top IT people advising on purchasing decisions know this.

        • SupraMario@lemmy.world
          link
          fedilink
          English
          arrow-up
          14
          arrow-down
          1
          ·
          5 months ago

          Yep. This is just uninformed people thinking this doesn’t happen. It’s been happening since av was born. It’s not new and this will not kill CS they’re still king.

        • corsicanguppy@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          At my old shop we still had people giving money to checkpoint and splunk, despite numerous problems and a huge cost, because they had favourites.

      • jedibob5@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        ·
        edit-2
        5 months ago

        Don’t most indemnity clauses have exceptions for gross negligence? Pushing out an update this destructive without it getting caught by any quality control checks sure seems grossly negligent.

      • Revan343@lemmy.ca
        link
        fedilink
        English
        arrow-up
        12
        arrow-down
        1
        ·
        5 months ago

        explain to the project manager with crayons why you shouldn’t do this

        Can’t; the project manager ate all the crayons

      • candybrie@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        Why is it bad to do on a Friday? Based on your last paragraph, I would have thought Friday is probably the best week day to do it.

        • Lightor@lemmy.world
          link
          fedilink
          English
          arrow-up
          21
          ·
          edit-2
          5 months ago

          Most companies, mine included, try to roll out updates during the middle or start of a week. That way if there are issues the full team is available to address them.

        • catloaf@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          I’m not sure what you’d expect to be able to do in a safe mode with no disk access.

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        5 months ago

        rolling out an update to production that there was clearly no testing

        Or someone selected “env2” instead of “env1” (#cattleNotPets names) and tested in prod by mistake.

        Look, it’s a gaffe and someone’s fired. But it doesn’t mean fuck ups are endemic.

    • ThrowawaySobriquet@lemmy.world
      link
      fedilink
      English
      arrow-up
      23
      ·
      5 months ago

      I think you’re on the nose, here. I laughed at the headline, but the more I read the more I see how fucked they are. Airlines. Industrial plants. Fucking governments. This one is big in a way that will likely get used as a case study.

    • Munkisquisher@lemmy.nz
      link
      fedilink
      English
      arrow-up
      19
      arrow-down
      1
      ·
      5 months ago

      Yeah saw that several steel mills have been bricked by this, that’s months and millions to restart

      • gazter@aussie.zone
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        1
        ·
        5 months ago

        Got a link? I find it hard to believe that a process like that would stop because of a few windows machines not booting.

          • drspod@lemmy.ml
            link
            fedilink
            English
            arrow-up
            15
            ·
            5 months ago

            Those machines should be airgapped and no need to run Crowdstrike on them. If the process controller machines of a steel mill are connected to the internet and installing auto updates then there really is no hope for this world.

            • Munkisquisher@lemmy.nz
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              I work in an environment where the workstations aren’t on the Internet there’s a separate network, there’s still a need for antivirus and we were hit with bsod yesterday

            • Hotzilla@sopuli.xyz
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              There is no unsafer place than isolated network. AV and xdr is not optional in industry/healthcare etc.

        • conciselyverbose@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          edit-2
          5 months ago

          There are a lot of heavy manufacturing tools that are controlled and have their interface handled by Windows under the hood.

          They’re not all networked, and some are super old, but a more modernized facility could easily be using a more modern version of Windows and be networked to have flow of materials, etc more tightly integrated into their systems.

          The higher precision your operation, the more useful having much more advanced logs, networked to a central system, becomes in tracking quality control.

          Imagine if after the fact, you could track a set of .1% of batches that are failing more often and look at the per second logs of temperature they were at during the process, and see that there’s 1° temperature variance between the 30th to 40th minute that wasn’t experienced by the rest of your batches. (Obviously that’s nonsense because I don’t know anything about the actual process of steel manufacturing. But I do know that there’s a lot of industrial manufacturing tooling that’s an application on top of windows, and the higher precision your output needs to be, the more useful it is to have high quality data every step of the way.)

      • Nachorella@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        5 months ago

        They can have all the clauses they like but pulling something like this off requires a certain amount of gross negligence that they can almost certainly be held liable for.

        • IsThisAnAI@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          5 months ago

          For what? At best it would be a hearing on the challenges of national security with industry.

    • Bell@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      8
      ·
      5 months ago

      Don’t we blame MS at least as much? How does MS let an update like this push through their Windows Update system? How does an application update make the whole OS unable to boot? Blue screens on Windows have been around for decades, why don’t we have a better recovery system?

      • sandalbucket@lemmy.world
        link
        fedilink
        English
        arrow-up
        14
        arrow-down
        1
        ·
        5 months ago

        Crowdstrike runs at ring 0, effectively as part of the kernel. Like a device driver. There are no safeguards at that level. Extreme testing and diligence is required, because these are the consequences for getting it wrong. This is entirely on crowdstrike.

    • Franklin@lemmy.world
      link
      fedilink
      English
      arrow-up
      83
      arrow-down
      2
      ·
      5 months ago

      The four multinational corporations I worked at were almost entirely Windows servers with the exception of vendor specific stuff running Linux. Companies REALLY want that support clause in their infrastructure agreement.

      • Avatar_of_Self@lemmy.world
        link
        fedilink
        English
        arrow-up
        25
        ·
        5 months ago

        I’ve worked as an IT architect at various companies in my career and you can definitely get support contracts for engineering support of RHEL, Ubuntu, SUSE, etc. That isn’t the issue. The issue is that there are a lot of system administrators with “15 years experience in Linux” that have no real experience in Linux. They have experience googling for guides and tutorials while having cobbled together documents of doing various things without understanding what they are really doing.

        I can’t tell you how many times I’ve seen an enterprise patch their Linux solutions (if they patched them at all with some ridiculous rubberstamped PO&AM) manually without deploying a repo and updating the repo treating it as you would a WSUS. Hell, I’m pleasantly surprised if I see them joined to a Windows domain (a few times) or an LDAP (once but they didn’t have a trust with the Domain Forest or use sudoer rules…sigh).

        • Semi-Hemi-Lemmygod@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          ·
          edit-2
          5 months ago

          The issue is that there are a lot of system administrators with “15 years experience in Linux” that have no real experience in Linux.

          Reminds me of this guy I helped a few years ago. His name was Bob, and he was a sysadmin at a predominantly Windows company. The software I was supporting, however, only ran on Linux. So since Bob had been a UNIX admin back in the 80s they picked him to install the software.

          But it had been 30 years since he ever touched a CLI. Every time I got on a call with him, I’d have to give him every keystroke one by one, all while listening to him complain about how much he hated it. After three or four calls I just gave up and used the screenshare to do everything myself.

          AFAIK he’s still the only Linux “sysadmin” there.

        • Hotzilla@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          5 months ago

          “googling answers”, I feel personally violated.

          /s

          To be fare, there is not reason to memorize things that you need once or twice. Google is tool, and good for Linux issues. Why debug some issue for few hours, if you can Google resolution in minutes.

          • Avatar_of_Self@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            5 months ago

            I’m not against using Google, stack exhange, man pages, apropos, tldr, etc. but if you’re trying to advertise competence with a skillset but you can’t do the basics and frankly it is still essentially a mystery to you then youre just being dishonest. Sure use all tools available to you though because that’s a good thing to do.

            Just because someone breathed air in the same space occasionally over the years where a tool exists does not mean that they can honestly say that those are years of experience with it on a resume or whatever.

            • uis@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              ·
              5 months ago

              Just because someone breathed air in the same space occasionally over the years where a tool exists does not mean that they can honestly say that those are years of experience with it on a resume or whatever.

              Capitalism makes them to.

          • sacredfire@programming.dev
            link
            fedilink
            English
            arrow-up
            1
            ·
            5 months ago

            Agreed. If you are not incompetent, you will remember the stuff that you use often. You will know exactly where to look to refresh your memory for things you use infrequently, and when you do need to look something up, you will understand the solution and why it’s correct. Being good at looking things up, is like half the job.

      • uis@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        5 months ago

        Companies REALLY want that support clause in their infrastructure agreement.

        RedHat, Ubuntu, SUSE - they all exist on support contracts.

    • Rinox@feddit.it
      link
      fedilink
      English
      arrow-up
      17
      ·
      5 months ago

      I dunno, but doesn’t like a quarter of the internet kinda run on Azure?

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        doesn’t like a quarter of the internet kinda run on Azure?

        Said another way, 3/4 of the internet isn’t on Unsure cloud blah-blah.

        And azure is - shhh - at least partially backed by Linux hosts. Didn’t they buy an AWS clone and forcibly inject it with money like Bobby Brown on a date in the hopes of building AWS better than AWS like they did with nokia? MS could be more protectively diverse than many of its best customers.

    • Blackmist@feddit.uk
      link
      fedilink
      English
      arrow-up
      22
      arrow-down
      6
      ·
      5 months ago

      I’ve had my PC shut down for updates three times now, while using it as a Jellyfin server from another room. And I’ve only been using it for this purpose for six months or so.

      I can’t imagine running anything critical on it.

      • ccdfa@lemm.ee
        link
        fedilink
        English
        arrow-up
        43
        arrow-down
        2
        ·
        5 months ago

        Windows server, the OS, runs differently from desktop windows. So if you’re using desktop windows and expecting it to run like a server, well, that’s on you. However, I ran windows server 2016 and then 2019 for quite a few years just doing general homelab stuff and it is really a pain compared to Linux which I switched to on my server about a year ago. Server stuff is just way easier on Linux in my experience.

        • conciselyverbose@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          11
          ·
          5 months ago

          It doesn’t have to, though. Linux manages to do both just fine, with relatively minor compromises.

          Expecting an OS to handle keeping software running is not a big ask.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            1
            ·
            5 months ago

            Yup, I use Linux to run a Jellyfin server, as well as a few others things. The only problem is that the CPU I’m using (Ryzen 1st gen) will crash every couple weeks or so (known hardware fault, I never bothered to RMA), but that’s honestly not that bad since I can just walk over and restart it. Before that, it ran happily on an old Phenom II from 2009 for something like 10 years (old PC), and I mostly replaced it because the Ryzen uses a bit less electricity (enough that I used to turn the old PC off at night; this one runs 24/7 as is way more convenient).

            So aside from this hardware issue, Linux has been extremely solid. I have a VPS that tunnels traffic into my Jellyfin and other services from outside, and it pretty much never goes down (I guess the host reboots it once a year or something for hardware maintenance). I run updates when I want to (when I remember, which is about monthly), and it only goes down for like 30 sec to reboot after updates are applied.

            So yeah, Linux FTW, once it’s set up, it just runs.

            • uis@lemm.ee
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              not that bad since I can just walk over and restart it.

              You can try to use watchdog to automatically restart on crashes. Or go through RMA.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                5 months ago

                I could, but it’s a pretty rare nuisance. I’d rather just replace the CPU than go through RMA, a newer gen CPU is quite inexpensive, I could probably get by with a <$100 CPU since anything AM4 should work (I have an X370 with support for 5XXX series CPUs).

                I’m personally looking at replacing it with a much lower power chip, like maybe something ARM. I just haven’t found something that would fit well since I need 2-4 SATA (PCIe card could work), 16GB+ RAM, and a relatively strong CPU. I’m hopeful that with ARM Snapdragon chips making their way to laptops and RISC-V getting more available, I’ll find something that’ll fit that niche well. Otherwise, I’ll just upgrade when my wife or I upgrade, which is what I usually do.

                • uis@lemm.ee
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  5 months ago

                  I just haven’t found something that would fit well since I need 2-4 SATA (PCIe card could work), 16GB+ RAM, and a relatively strong CPU.

                  4 SATA, 8GB RAM is easy to find. What do you need 16 gigs for? Compiling Gentoo?

                  Star64 for ARM and Quartz64 for RV.

          • corsicanguppy@lemmy.ca
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            5
            ·
            5 months ago

            big ask.

            Off the car lot, we say ‘request’. But good on you for changing careers.

        • Blackmist@feddit.uk
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Because I only have one PC (that I need for work), and I can’t be arsed to cock around with dual boot just to watch movies. Especially when Windows will probably break that at some point.

          • uis@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            5 months ago

            Can you use Linux as main OS then? What do you need your computer to do?

            • Blackmist@feddit.uk
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              I need to run windows software that makes other windows software, that will be run on our customers (who pay us quite well) PCs that also run windows.

              Plus gaming. I’m not switching my primary box to Linux at any point. If I get a mini server, that will probably ruin Linux.

              • uis@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                5 months ago

                I need to run windows software that makes other windows software, that will be run on our customers (who pay us quite well) PCs that also run windows.

                Mingw, but whatever. Maybe there is somethong mingw can’t do.

                Plus gaming. I’m not switching my primary box to Linux at any point.

                Unless it is Apex and some other worst offenders or you use GPU from the only company actively hostile to linux, gaming is fine.

        • ji17br@lemmy.ml
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          5 months ago

          Wow dude you’re so cool. I bet that made you feel so superior. Everyone on here thinks you are so badass.

    • neosheo@discuss.tchncs.de
      link
      fedilink
      English
      arrow-up
      1
      ·
      5 months ago

      I know i was really surprised how many there are. But honestly think of how many companies are using active directory and azure

  • YTG123@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    169
    ·
    5 months ago

    >Make a kernel-level antivirus
    >Make it proprietary
    >Don’t test updates… for some reason??

          • jedibob5@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            5 months ago

            Is the 4x10 really worth the extra day off? Tbh I’m not sure it would work very well for me… I find just one 10-hour day to be kinda draining, so doing that 4 times a week every week feels like it might just cancel out any benefits of the extra day off.

            • meanmon13@lemmy.zip
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              I am very used to it so I don’t find it draining. I tried 5x8 once and it felt more like working an extra day than getting more time in the afternoon. If that makes sense. I also start early around 7am, so I am only staying a little later than other people

          • corsicanguppy@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            I changed jobs because the new management was all “if I can’t look at your ass you don’t work here” and I agreed.

            I now work remotely 100% and it’s in the union contract with the 21vacation days and 9x9 compressed time and regular raises. The view out my home office window is partially obscured by a floofy cat and we both like it that way.

            I’d work here until I die.

      • Blackmist@feddit.uk
        link
        fedilink
        English
        arrow-up
        15
        ·
        5 months ago

        Yep, anything done on Friday can enter the world on a Monday.

        I don’t really have any plans most weekends, but I sure as shit don’t plan on spending it fixing Friday’s fuckups.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          And honestly, anything that can be done Monday is probably better done on Tuesday. Why start off your week by screwing stuff up?

          We have a team policy to never do externally facing updates on Fridays, and we generally avoid Mondays as well unless it’s urgent. Here’s roughly what each day is for:

          • Monday - urgent patches that were ready on Friday; everyone WFH
          • Tuesday - most releases; work in-office
          • Wed - fixing stuff we broke on Tuesday/planning the next release; work in-office
          • Thu - fixing stuff we broke on Tuesday, closing things out for the week; WFH
          • Fri - documentation, reviews, etc; WFH

          If things go sideways, we come in on Thu to straighten it out, but that almost never happens.

      • sasquash@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Actually I was not even joking. I also work in IT and have exactly the same opinion. Friday is for easy stuff!

    • merc@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      You posted this 14 hours ago, which would have made it 4:30 am in Austin, Texas where Cloudstrike is based. You may have felt the effect on Friday, but it’s extremely likely that the person who made the change did it late on a Thursday.

      • Toribor@corndog.social
        link
        fedilink
        English
        arrow-up
        58
        ·
        5 months ago

        This is fine as long as you politely ask everyone on the Internet to slow down and stop exploiting new vulnerabilities.

        • Ookami38@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          22
          ·
          5 months ago

          I think vulnerabilities found count as “something broken” and chap you replied to simply did not think that far ahead hahah

          • huginn@feddit.it
            link
            fedilink
            English
            arrow-up
            14
            ·
            5 months ago

            For real - A cyber security company should basically always be pushing out updates.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              English
              arrow-up
              4
              ·
              5 months ago

              Exactly. You don’t know what the vulnerabilities are, but the vendors pushing out updates typically do. So stay on top of updates to limit the attack surface.

              Major releases can wait, security updates should be pushed as soon as they can be proven to not break prod.

            • Midnight Wolf@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              always pushing out updates

              Notes: Version bump: Eric is a twat so I removed his name from the listed coder team members on the about window.

              git push --force

              leans back in chair productive day, productive day indeed

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            5 months ago

            I use Tumbleweed, so I only get updates once/day, twice if something explodes. I used to use Arch, so my update cycle has lengthened from 1-2x/day to 1-2x/week, which is so much better.

            • Nachorella@lemmy.sdf.org
              link
              fedilink
              English
              arrow-up
              2
              ·
              5 months ago

              I really like the tumbleweed method, seems like the best compromise between arch and debian style updates.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                5 months ago

                I think a lot of what (open)SUSE does is pretty solid. For example, microOS is a fantastic compromise between a stable base and a rolling userspace, and I think a lot of people would do well to switch to it from Leap. I currently use Leap for my NAS, but I do plan to switch to microOS.

      • Hotzilla@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        This is AV, and even possible that it is part of definitions (for example some windows file deleted as false positive). You update those daily.

  • Encrypt-Keeper@lemmy.world
    link
    fedilink
    English
    arrow-up
    115
    ·
    5 months ago

    Yeah my plans of going to sleep last night were thoroughly dashed as every single windows server across every datacenter I manage between two countries all cried out at the same time lmao

  • kadotux@sopuli.xyz
    link
    fedilink
    English
    arrow-up
    103
    arrow-down
    2
    ·
    edit-2
    5 months ago

    Here’s the fix: (or rather workaround, released by CrowdStrike) 1)Boot to safe mode/recovery 2)Go to C:\Windows\System32\drivers\CrowdStrike 3)Delete the file matching “C-00000291*.sys” 4)Boot the system normally

    • StV2@lemmy.world
      link
      fedilink
      English
      arrow-up
      64
      arrow-down
      4
      ·
      5 months ago

      It’s disappointing that the fix is so easy to perform and yet it’ll almost certainly keep a lot of infrastructure down for hours because a majority of people seem too scared to try to fix anything on their own machine (or aren’t trusted to so they can’t even if they know how)

      • HaleHirsute@infosec.pub
        link
        fedilink
        English
        arrow-up
        69
        arrow-down
        1
        ·
        5 months ago

        They also gotta get the fix through a trusted channel and not randomly on the internet. (No offense to the person that gave the info, it’s maybe correct but you never know)

        • kadotux@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          1
          ·
          5 months ago

          Yeah, and it’s unknown if CS is active after the workaround or not (source: hackernews commentator)

        • letsgo@lemm.ee
          link
          fedilink
          English
          arrow-up
          8
          ·
          5 months ago

          True, but knowing what the fix might be means you can Google it and see what comes back. It was on StackOverflow for example, but at the time of this comment has been taken offline for moderation - whatever that means.

        • ColeSloth@discuss.tchncs.de
          link
          fedilink
          English
          arrow-up
          3
          ·
          5 months ago

          Meh. Even if it bricked crowdstrike instead of helping, you can just restore the file you deleted. A file in that folder can’t brick a windows system.

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        50
        ·
        5 months ago

        This sort of fix might not be accessible to a lot of employees who don’t have admin access on their company laptops, and if the laptop can’t be accessed remotely by IT then the options are very limited. Trying to walk a lot of nontechnical users through this over the phone won’t go very well.

        • AccountMaker@slrpnk.net
          link
          fedilink
          English
          arrow-up
          17
          ·
          5 months ago

          Yup, that’s me. We booted into safe mode, tried navigating into the CrowdStrike folder and boom: permission denied.

          • Cryophilia@lemmy.world
            link
            fedilink
            English
            arrow-up
            11
            ·
            5 months ago

            Half our shit can’t even boot into safe mode because it’s encrypted and we don’t have the keys rofl

            • Oderus@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              5 months ago

              If you don’t have the keys, what the hell are you doing? We have bitlocker enabled and we have a way to get the recovery key so it’s not a problem. Just a huge pain in the ass.

      • thehatfox@lemmy.world
        link
        fedilink
        English
        arrow-up
        32
        ·
        edit-2
        5 months ago

        Might seem easy to someone with a technical background. But the last thing businesses want to be doing is telling average end users to boot into safe mode and start deleting system files.

        If that started happening en masse we would quickly end up with far more problems than we started with. Plenty of users would end up deleting system32 entirely or something else equally damaging.

        • Ookami38@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          ·
          5 months ago

          I do IT for some stores. My team lead briefly suggested having store managers try to do this fix. I HARD vetoed that. That’s only going to do more damage.

      • r00ty@kbin.life
        link
        fedilink
        arrow-up
        15
        ·
        5 months ago

        It might not even be that. A lot of places have many servers (and even more virtual servers) running crowdstrike. Some places also seem to have it on endpoints too.

        That’s a lot of machines to manually fix.

        • StV2@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          That is unfortunate but also leads me to a different question

          Why do people like windows server? I’ve had to use it a couple of times for work and although it’s certainly better than just using the desktop windows it’s so heavy compared to running something like Debian

          In our case, the fact we were using windows server actually made it a worse experience for customers aswell because the hardware was not up to it (because budget constraints) so it just chugged and slowed down everything making it a terrible experience for everyone involved (not to mention how often it’d have to be rebooted because a service wouldn’t restart)

        • Oderus@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          You can do it over the phone. I just did a few dozen this morning and it was relatively easy.

          • Midnight Wolf@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            5 months ago

            “yes, now open the file explorer. No, that’s internet explorer… Yes, with the files. Now go to this pc… No, I know you are at this pc, but the entry on the left. No that’s the keyboard. On the screen. Where it says this pc, on the left. The left. The left. … That’s the start menu. Okay, let’s try this a different way. On the keyboard, press the windows key and r. No, simultaneously. The windows key is the one with the flag. Yes. R. As in Romeo. Yes I know a window appeared, very good. Now type c colon backslash windows backslash system 32… Yes like the numbers. No, that’s a semicolon. Yes. Shift. On the keyboard. Simultaneously. And another backslash drivers. Click OK. What error? Why did you type that after the colon? It needs to go at the end. Yes, the end. Yes. Yes. Now click OK. What error? Read the text you typed to me. Why didn’t you delete the semicolon? Yes. Yes. What error?! AHHHHHHHHHHHHHHHH”

            yeah, sometimes that’s just not an option…

      • Grandwolf319@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        I wouldn’t fix it if it’s not my responsibly at work. What if I mess up and break things further?

        When things go wrong, best to just let people do the emergency process.

    • cheeseburger@lemmy.ca
      link
      fedilink
      English
      arrow-up
      45
      ·
      5 months ago

      I’m on a bridge still while we wait for Bitlocker recovery keys, so we can actually boot into safemode, but the Bitkocker key server is down as well…

    • WagnasT@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      5 months ago

      Man, it sure would suck if you could still get to safe mode from pressing f8. Can you imagine how terrible that’d be?

    • resin85@lemmy.ca
      link
      fedilink
      English
      arrow-up
      2
      ·
      5 months ago

      Not that easy when it’s a fleet of servers in multiple remote data centers. Lots of IT folks will be spending their weekend sitting in data center cages.

  • richtellyard@lemmy.world
    cake
    link
    fedilink
    English
    arrow-up
    96
    ·
    5 months ago

    This is going to be a Big Deal for a whole lot of people. I don’t know all the companies and industries that use Crowdstrike but I might guess it will result in airline delays, banking outages, and hospital computer systems failing. Hopefully nobody gets hurt because of it.

  • boaratio@lemmy.world
    link
    fedilink
    English
    arrow-up
    92
    ·
    5 months ago

    CrowdStrike: It’s Friday, let’s throw it over the wall to production. See you all on Monday!

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    85
    arrow-down
    1
    ·
    edit-2
    5 months ago

    Wow, I didn’t realize CrowdStrike was widespread enough to be a single point of failure for so much infrastructure. Lot of airports and hospitals offline.

    The Federal Aviation Administration (FAA) imposed the global ground stop for airlines including United, Delta, American, and Frontier.

    Flights grounded in the US.

    The System is Down

    • CanadaPlus@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      22
      ·
      5 months ago

      Honestly my philosophy these days, when it comes to anything proprietary. They just can’t keep their grubby little fingers off of working software.

      At least this time it was an accident.

    • Hotzilla@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      2
      ·
      5 months ago

      There is nothing unsafer than local networks.

      AV/XDR is not optional even in offline networks. If you don’t have visibility on your network, you are totally screwed.

  • Damage@feddit.it
    link
    fedilink
    English
    arrow-up
    84
    arrow-down
    15
    ·
    5 months ago

    The thought of a local computer being unable to boot because some remote server somewhere is unavailable makes me laugh and sad at the same time.

    • rxxrc@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      74
      arrow-down
      1
      ·
      5 months ago

      I don’t think that’s what’s happening here. As far as I know it’s an issue with a driver installed on the computers, not with anything trying to reach out to an external server. If that were the case you’d expect it to fail to boot any time you don’t have an Internet connection.

      Windows is bad but it’s not that bad yet.

      • corsicanguppy@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        5 months ago

        expect it to fail to boot any time you don’t have an Internet connection.

        So, like the UbiSoft umbilical but for OSes.

        Edit: name of publisher not developer.

    • Munkisquisher@lemmy.nz
      link
      fedilink
      English
      arrow-up
      23
      arrow-down
      1
      ·
      5 months ago

      A remote server that you pay some serious money to that pushes a garbage driver that prevents yours from booting

      • Passerby6497@lemmy.world
        link
        fedilink
        English
        arrow-up
        10
        ·
        5 months ago

        Not only does it (possibly) prevent booting, but it will also bsod it first so you’ll have to see how lucky you get.

        Goddamn I hate crowdstrike. Between this and them fucking up and letting malware back into a system, I have nothing nice to say about them.

        • Cryophilia@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          edit-2
          5 months ago

          It’s bsod on boot

          And anything encrypted with bitlocker can’t even go into safe mode to fix it

          • Passerby6497@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            ·
            5 months ago

            It doesn’t consistently bsod on boot, about half of affected machines did in our environment, but all of them did experience a bsod while running. A good amount of ours just took the bad update, bsod’d and came back up.

  • Sʏʟᴇɴᴄᴇ@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    66
    ·
    5 months ago

    Yep, stuck at the airport currently. All flights grounded. All major grocery store chains and banks also impacted. Bad day to be a crowdstrike employee!

    • iknowitwheniseeit@lemmynsfw.com
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      5 months ago

      My flight was canceled. Luckily that was a partner airline. My actual airline rebooked me on a direct flight. Leaves 3 hours later and arrives earlier. Lower carbon footprint. So, except that I’m standing in queue so someone can inspect my documents it’s basically a win for me. 😆