CrowdStrike Update: Latest News, Lessons Learned from a Retired Microsoft Engineer

00:01

hey I'm Dave welcome to my shop I'm Dave

00:03

plumber a retired Microsoft software

00:05

engineer starting our Windows back in

00:07

the early 1990s and today I'm going to

00:09

update you on all the latest fulcon news

00:11

as well as some want and speculation and

00:13

even conspiracy theories on the crowd

00:15

strike Falcon it oage if you watch my

00:18

last video then you already know the

00:20

specific technical details of what

00:22

precisely went wrong so I'll only

00:24

briefly update them here with some new

00:25

info once we've done that I'll update

00:28

you on the latest conspiracy theories as

00:29

as well as consider what broader lessons

00:31

can be learned from the whole debacle

00:34

the recent crowd strike it outage was

00:36

caused by a faulty sensor configuration

00:38

update in their fulcon cyber security

00:40

platform here are the key technical

00:42

details the update involved a

00:44

configuration file known as Channel file

00:47

291 designed to Target newly observed

00:50

malicious named pipes used in common

00:52

command and control Frameworks the

00:54

update appears to have been malformed it

00:57

then triggered a logic air in the crowd

00:58

strike kernel Drive that resulted in

01:00

system crashes in the infamous blue

01:02

screen of death on impacted Windows

01:04

systems approximately 8.5 million

01:07

devices worldwide were impacted causing

01:09

significant disruptions across various

01:11

Industries including Banks Airlines and

01:13

businesses even 911 service was

01:16

disrupted in some areas Crow quickly

01:19

identified the issue and deployed a fix

01:21

within a few hours they issue detailed

01:24

technical guidance for affected

01:25

customers including mitigation steps and

01:27

tools to identify impacted hosts now I

01:30

used air quotes around the word fix

01:32

because in this case the fix only fixes

01:34

the update and prevents more machines

01:36

from being brought down for the 8

01:37

million or so machines that already took

01:39

the update it does nothing at all to fix

01:41

them that's going to be up to the system

01:43

administrators office managers and nerdy

01:45

uncles around the world to fix because

01:47

each and every machine will require that

01:49

a human manually boot the machine into

01:51

safe mode from there you have to find

01:53

the corrupted Channel 291 update file in

01:55

the crowd strike folder delete it and

01:57

reboot and so that's where we're at a

02:00

whole lot of tech standing around with

02:01

their disc in their hand waiting to Safe

02:03

boot 8 million blue screen Windows

02:05

machines doesn't look very good for

02:07

Microsoft which is ironic because it's

02:09

primarily a crowd strike issue and not

02:11

something specific to Windows itself if

02:13

you don't believe me consider that on

02:15

April 19th this year Crow strike issued

02:17

a flawed update that impacted customers

02:18

running Debbie and Linux the update

02:21

caused those systems to crash and

02:23

prevented them from rebooting normally

02:25

the issue was acknowledged by crowd

02:26

strike the next day but it took weeks to

02:28

determine the exact cause and Implement

02:30

a fix another similar issue occurred a

02:32

month later on May 13th this time

02:34

affecting Rocky Linux these servers

02:36

experience freezes after upgrading to

02:38

the rocky Linux 9.4 this problem was

02:41

linked to a Linux sensor operating in

02:42

user mode combined with Pacific 6.x Kel

02:46

versions curiously absent from the list

02:48

though is the Mac like a lot of folks

02:50

you might just assume that's because

02:52

it's yet one more piece of software that

02:53

doesn't even run on the Mac but you'd be

02:55

wrong crowd strike does provide security

02:57

solutions for Mac OS through its Falcon

02:59

Plus platform the Falcon sensor for Mac

03:02

OS does not install kernel extensions

03:04

especially with the release of Mac OS

03:06

big sir and later versions where Apple

03:08

deprecated the use of K extensions

03:10

entirely instead crowd strike has

03:13

rearchitecturing

03:16

workk provided by Apple known as system

03:19

extensions and while I generally hold

03:21

Microsoft blameless in how crowd strikes

03:23

mistakes manifested on their platform

03:25

this time around it all comes down to

03:27

the fact that a kernel driver is

03:29

involved at all as I explained in the

03:31

last video a kernel driver has very

03:34

intimate access to the system's most

03:35

inner workings as a cost however it

03:38

brings with it the fact that if anything

03:40

goes wrong with the kernel driver the

03:42

system must blue screen to prevent

03:43

further damage to the user settings

03:45

files security and so on crowd strike

03:48

engag is in the risky business of

03:50

delivering kernel code to the critical

03:52

path of millions of machines not because

03:54

they are careless YOLO Cowboys or even

03:57

in spite of that they do it because it's

03:59

the only way on Windows to get the low-l

04:01

system access to do the security Voodoo

04:03

that they do you see code gets to walk

04:06

on the wild side in the kernel usually

04:08

for one of two reasons either for

04:10

performance reasons or because it needs

04:12

access to information about or other

04:13

kernel goings on that it simply cannot

04:16

do from user mode back in the day when

04:19

my beard was still dark red as in the

04:20

days of Windows n31 not even the video

04:23

driver ran in kernel mode it essentially

04:25

ran entirely in user mode and when it

04:27

needed to access the hardware it would

04:29

be done by a proxy thread in the kernel

04:31

on behalf of the video driver and the

04:34

parameters and results will be validated

04:35

and Marshal back and forth between those

04:37

threads the problem is that with a gen

04:39

4x6 GPU connection that's a metric crap

04:42

ton of data to Marshall and it'd be a

04:45

lot faster if the driver just had Direct

04:46

access to the hardware and so for

04:49

performance Reasons video drivers got

04:50

moved into kernel space but the key

04:52

point is that it was not a necessity it

04:54

was a performance decision made at the

04:56

cost of potentially reduced reliability

04:59

oh over time the decision has been made

05:01

the other way in favor of stability too

05:03

the original printer subsystem for

05:05

Windows used a kernel mode driver model

05:07

for printers and while I would never

05:09

dare to question the wisdom of printer

05:11

designers I'm not sure I want some

05:13

internet brother writing my kernel code

05:16

and so with a little wailing and nashing

05:18

of teeth the printer driver model was

05:20

moved to user mode to make Windows far

05:21

more

05:22

robust when it comes to something like

05:24

crowd strike the Falon sensor is in

05:26

kernel mode presumably because it needs

05:28

to do things that can't be done from

05:30

user mode and to me that's where

05:31

Microsoft could be responsible because

05:34

on the Windows platform to the best of

05:36

my knowledge some of the crowdstrike

05:37

security functionality requireed deep

05:39

integration with the operating system

05:41

that can only be currently achieved on

05:43

the colonel side that's not to say that

05:46

Microsoft hasn't tried there's wdac or

05:49

the Windows Defender application control

05:51

API there's also the Windows Defender

05:53

device guard together they provide

05:55

mechanisms for controlling application

05:57

execution and ensuring that only trusted

05:59

code code runs on a system they also

06:02

offer various apis for antivirus and

06:04

endpoint protection solutions to

06:06

interact with the operating system and I

06:08

don't know to what extent crowd strike

06:09

those Active network filtering but the

06:11

Windows filtering platform or wfp allows

06:14

applications to interact with the

06:16

network stack without requiring kernel

06:18

level code the irony of all this is that

06:20

at one point Microsoft actually tried to

06:22

do the right thing behind the scenes

06:24

sources indicate that Microsoft have

06:26

been working on a solution that could

06:27

have potentially prevented such

06:28

disasters

06:30

the tech giant had developed an advanced

06:32

API designed specifically for security

06:34

applications like crowd strikes this API

06:37

promised deeper integration with the

06:39

Windows operating system offering

06:40

enhanced stability performance and

06:42

security it was a proactive measure

06:44

aimed at mitigating the risks associated

06:46

with low-level system interactions which

06:48

are often fraught with complexities and

06:50

potential

06:51

vulnerabilities however as Microsoft

06:53

prepared to roll out this game-changing

06:54

API they encountered an unexpected

06:57

obstacle regulatory body tasked with

07:00

ensuring Fair competition in the tech

07:01

industry scrutinized the new API The

07:04

Regulators in the European Union argued

07:06

that providing such a powerful tool

07:08

exclusively to certain applications

07:10

could give Microsoft an unfair Advantage

07:12

potentially stifling competition from

07:14

smaller security firms that wouldn't

07:16

have the same access now despite

07:18

Microsoft's assurances that the API

07:20

would enhance security for all users The

07:22

Regulators stood firm they feared that

07:25

integrating this API could create a

07:26

dependency on Microsoft's ecosystem

07:29

effectiv L locking out competitors who

07:31

couldn't leverage the same level of

07:32

access to the windows core consequently

07:35

the API was deemed anti-competitive and

07:38

its implementation was prohibited so

07:40

allocating blame to Microsoft for

07:42

inaction on an API is actually pretty

07:44

unfair Microsoft is also in a very

07:46

different position than Apple Apple is

07:49

somehow afforded the luxury of being

07:50

able to do things like break an entire

07:52

driver model in a new update that

07:54

requires everything to be Rewritten

07:56

conversely backwards compatibility is so

07:58

deeply ingrained among Microsoft

07:59

developers that it simply may not be an

08:02

option on my Mac I've got a universal

08:04

audio Apollo tnx Thunderbolt sound

08:07

device and it requires that you disable

08:08

all of Apple's driver signing and kernel

08:10

extension security and for weeks the

08:12

machine would pink screen and reboot

08:14

until they eventually got their driver

08:15

more sorted Microsoft needs to support

08:18

and Export whatever functionality as an

08:20

official API so that security providers

08:23

can build their product without putting

08:24

the entire operating system at risk not

08:27

because it's the right thing to do but

08:28

because the harsh reality is that

08:30

they've got tens of millions of machines

08:32

serving ad Mission critical roles like

08:33

911 service that do run kernel mode code

08:36

those organizations deserve a system

08:38

that doesn't need to run thirdparty

08:40

kernel code to safely do its job and

08:42

only Microsoft can fix that but only if

08:44

The Regulators would let them now I'm

08:46

certainly not going to throw satcha

08:48

under the bus for not throwing crowd

08:49

strike and the EU under at first but I

08:52

question the communication and messaging

08:54

that's coming from the top the decision

08:56

to not publicly note that this isn't a

08:57

failure in Windows itself has led to to

08:59

the widespread misconception amongst my

09:01

friends and relatives that it was a

09:02

Windows update that went horribly wrong

09:04

I think it' be instructive to take a

09:06

quick look at another PR nightmare that

09:08

also wasn't the company's fault Tylenols

09:10

crisis back in the 1980s now that might

09:13

sound like a long time ago but keep in

09:15

mind I'm almost 56 now

09:18

damn I'm sorry anyway Johnson and

09:21

Johnson faced a crisis that would become

09:22

a defining moment in corporate crisis

09:24

Management in September 1982 seven

09:27

people in the Chicago area died after

09:29

ingesting Tylenol capsules that had been

09:31

laced with cyanide this event triggered

09:34

Widespread Panic and could have easily

09:35

destroyed the trust and credibility of

09:37

the Tylenol brand entirely to say the

09:39

least James Burke the CEO of Johnson and

09:41

Johnson at the time spearheaded a

09:43

response that would set a new standard

09:45

for corporate crisis management his

09:48

approach was characterized by

09:49

transparency decisiveness and a focus on

09:52

consumer safety as soon as the tampering

09:54

was discovered Burke ordered a

09:55

nationwide recall of Tylenol products

09:57

totaling around 31 million bottles and

09:59

costing the company over $100

10:01

million this decisive action underscored

10:04

Johnson and Johnson's commitment to

10:06

Consumer safety over their short-term

10:08

Financial losses Burke made it a

10:10

priority to maintain open lines of

10:12

communication with the public the media

10:14

and Regulatory Agencies he ensured that

10:16

the company was forthright about the

10:18

risks and the steps being taken to

10:19

address the situation this transparency

10:22

helped to build trust with the public

10:23

during a time of fear and uncertainty in

10:26

the aftermath of the crisis Johnson and

10:28

Johnson introduced tamper evident

10:30

packaging which became an industry

10:32

standard this move not only addressed

10:34

immediate safety concerns but also

10:36

restored consumer confidence in the

10:38

product the company also launched a

10:40

major public relations campaign to

10:41

educate the public about new safety

10:43

measures and reassure them about the

10:45

product safety Burg's leadership during

10:47

the Tylenol crisis was widely praised

10:49

for its ethical Focus he adhered to the

10:51

company's Credo which emphasize the

10:53

importance of the company's

10:54

responsibility to its consumers

10:56

employees and Community this ethical

10:58

Foundation guided all of Johnson and

11:00

Johnson's decisions during the crisis

11:03

the Swift and responsible actions taken

11:04

by Burke and his team not only helped

11:06

Tylenol to recover from the crisis but

11:08

also strengthened the Brand's reputation

11:11

Tylenol regained its market share within

11:13

a year and the company's handling of the

11:14

crisis became a case study in business

11:16

schools around the world James Burke's

11:19

masterful handling of the Tylenol crisis

11:21

showcased the power of ethical

11:22

leadership and set a new Benchmark for

11:24

crisis management by putting consumer

11:27

Safety First and maintaining transparent

11:28

communic ation Burke was able to

11:31

navigate one of the most challenging

11:32

crises in its history and emerge

11:34

stronger of course the Tylenol crisis

11:37

and the crowd strike outage are very

11:38

different events but I think both

11:40

Microsoft and crowd strike would be wise

11:42

to learn from James Burke's example and

11:45

maybe it's time for a tamperproof

11:46

colonel all this would require that the

11:48

EU reway the greater public good in

11:50

terms of critical infrastructure over

11:52

competition in the security API business

11:55

and speaking of trust what about code

11:56

signing what went wrong here that a

11:58

fully signed driver was able to bork 10

12:00

million Windows machines remember that

12:02

Microsoft fully tested and vetted and

12:04

approved and signed the crowd strike

12:06

driver in the whql lab and the driver

12:10

didn't change just the channel update

12:12

file did the channel files are used as

12:15

input to the driver and we subsequently

12:17

learned that the channel 291 update file

12:19

was made up entirely of zeros and then

12:22

when the driver ingested that update

12:24

file it choked and because it was in

12:25

curdle mode its only choice was to then

12:27

turn blue and D that also means that all

12:30

of the trusted platform modules and

12:32

secure boots in the world wouldn't have

12:33

saved you the driver was already fully

12:36

trusted so even if you were running

12:37

locked down to sign bits only the driver

12:39

never changed data files like Channel

12:42

updates aren't signed as far as I know

12:44

so a digital signature wouldn't have

12:46

helped and even if they were signed an

12:48

all zero signed Channel file would still

12:50

likely have crashed the signed driver so

12:53

in this case trusted Computing was of

12:54

little help since there have been very

12:56

few specific technical details made

12:58

public so far it's time to get a little

13:00

further into the weeds with some

13:01

speculation before moving on to some

13:03

outright conspiracy theories my

13:05

speculation begins with my assessment of

13:07

what went wrong inside the crowd strike

13:09

driver in the last episode we saw how

13:11

the driver was access violating and

13:13

crashing the system but why what caused

13:15

it the best assessment I can come up

13:17

with is that the code D referencing a

13:19

null pointer plus an offset into a data

13:21

structure that is expecting to find in

13:23

memory why their base pointer for the

13:25

structure is no is harder to say but

13:27

it's almost certainly tied to the fact

13:29

that the channel update file was all

13:31

zeros a few folks have written to ask me

13:33

why such code can't just be placed in a

13:35

tri accept block so that if it access

13:37

violates operation can continue and the

13:40

answer is you can in theory and since

13:42

the exception will be triggered on the

13:44

attempt to write to Illegal memory and

13:46

not merely after the fact memory itself

13:48

is protected and preserved that means

13:50

that as long as the code with the

13:52

exception Handler can return gracefully

13:54

and the callers Upstream can in turn

13:56

cope with the air being returned back to

13:57

them all as well

13:59

but I didn't want to give you the

14:00

impression that you can just wrap

14:01

suspect code in a tri accept block and

14:03

eat the exceptions there's a bit more to

14:05

it than that I think the real failure

14:07

here is on the part of the crowdstrike

14:09

driver in its lack of properly vetting

14:11

its input they're not great about

14:13

teaching it in college but one of the

14:15

first things you learn as a real

14:16

developer is never to trust user input

14:19

and if you're a device driver and your

14:21

input is a dynamically downloaded

14:23

Channel update file you can't just

14:25

implicitly trust it even if the channel

14:28

files were signed by himself the code

14:30

needs to sanity check the contents let's

14:32

say you're writing a little app to read

14:34

in a bitmap file and displayed on the

14:36

screen using the graphics card when you

14:38

read that file into memory and pass it

14:40

to the draw bitmap API the first thing

14:42

that the API is going to do is to check

14:44

the bitmap structure and header and make

14:46

sure that it's all valid and if you pass

14:48

that bit map off to direct X to render

14:50

it with the GPU you can rest assured

14:52

that the kernel side of the driver is

14:54

going to carefully inspect the bit map

14:55

for validity in every possible sense

14:57

before attempting to draw it and crowd

14:59

strike man not so much looks like their

15:01

code just kind of raw dogged it and

15:03

hoped for the best but it is in life as

15:05

it is in software you can be lucky

15:07

sometimes but if you come to rely on

15:09

luck it will eventually run out and

15:11

crowd strikes appears to have run out

15:13

when that channel file full of zeros

15:14

brought down what must be a fairly

15:16

fragile section of their code following

15:19

the crowd strike outage various

15:20

conspiracy theories have emerged on

15:22

Twitter and Reddit one popular Theory

15:24

posits that the outage was a deliberate

15:25

Cyber attack signaling the onset of

15:27

World War II with some can get to

15:29

warnings from the world economic Forum

15:31

about potential Global cyber threats

15:33

another theory suggests that the oage

15:35

was orchestrated by political figures to

15:37

influence geopolitical events although

15:39

there is no evidence supporting any of

15:41

these claims as for me I try to never

15:43

attribute to malice that which can be

15:45

sufficiently explained by incompetence

15:47

it's not as simple as one programmer air

15:49

either though when I was at Microsoft I

15:52

only wrote the odd bit of Colonel code

15:53

but the culture among the colonel guys

15:55

was pretty hardcore the quality bar was

15:57

extremely high as was a level of

15:59

scrutiny that your code would receive

16:01

from the colel team if you wandered

16:02

under their Turf and checked something

16:04

into their Source control even so I'm

16:06

not going to just condemn the programmer

16:07

especially based on the limited

16:09

information that we have on the actual

16:10

bug but regardless of how egregious the

16:13

bug is or isn't there should be several

16:15

procedural and tests and review layers

16:17

that would prevent this bug or any bug

16:19

from having the impact that this one had

16:21

there are a lot more lessons to consider

16:23

here from whether or not seemingly the

16:25

entire world's infrastructure should be

16:27

dependent on a single vendor to whether

16:29

critical systems like 911 need to be on

16:31

an N minus1 or an N minus 2 update

16:33

schedule and what that all means and

16:36

Heaven help you if you are running bit

16:37

Locker on the affected machine but all

16:40

that we'll have to wait for a future

16:41

episode so if you found today's episode

16:43

to be any combination of entertaining or

16:45

informative please remember that I'm

16:46

mostly in this for the subs and likes

16:48

and I'd be honored if you'd consider

16:49

subscribing to my channel and leaving a

16:51

like on the video if you're already

16:53

subscribed thank you please consider

16:55

sending this video to a friend if you

16:57

think it's covered the subject well and

16:59

please do check out the free sample of

17:01

my new book on Amazon the non-visible

17:03

part of the autism spectrum it's

17:05

intended for folks that don't have ASD

17:07

but who suspect they might have a few

17:09

characteristics that put them somewhere

17:11

on the Spectrum it's everything I know

17:13

now about living a successful life on

17:14

the spectrum that I wish i' had known

17:16

long ago check it out at the link in the

17:18

video description in the meantime and

17:21

between time hope to see you next time

17:23

right here in Dave's Garage