• deadbeef79000@lemmy.nz
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    4 months ago

    TL;DR: Because the underlying OS is garbage.

    Whatever CrowdStrike’s “features” are should already be core security features of the kernel itself, or be exposed/extracted into user space.

    NT was supposed to be a micro kernel. That this tool injects itself into the kernel immediately compromises the kernel. Edit: I should point out that it seems that CS injects drivers into the Linux kernel too, it might just be that Linux handles a driver crash more elegantly.

    No different to the gaming anti-cheat kernel crap.

    Having a “security” tool immediately compromise your actual security is absurd.

    • ricecake@sh.itjust.works
      link
      fedilink
      arrow-up
      5
      ·
      4 months ago

      I’d love to know how you plan to do user mode packet filtering. Keep in mind that on Linux, the designated API is inherently kernel mode. https://netfilter.org/

      This isn’t one of the cases where we’re talking about Linux being superior to windows. Any OS will be fucked if you give it a mangled kernel module. In this case, it’s just that only one got one.

      Your perception that anything that touches the kernel is an intrinsic security risk is unfounded.

    • xor
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      I, too, work in a similar type of company, and can confirm from experience that Linux can get just as absolutely fucked up by a bad kernel module as windows.

      And it’s not just changes to the module that can cause things to go wrong.

      For example, the kernel released alongside the latest Ubuntu LTS included a change that conflicted with our module behaviour, so machines with that kernel or newer would panic on boot.

      It was a super minor change, but when you’re deep in the weeds, it’s really easy for these things to be brittle. But that’s just an inherent consequence of the fact that this sort of stuff is intrinsically low-level interaction with the OS itself.