• marcos@lemmy.world
      link
      fedilink
      arrow-up
      42
      ·
      5 months ago

      Remember guys, it took about a decade for Solar Winds to discover somebody had root access to everybody that used their software, another decade for somebody outside Solar Winds to discover it and tell everybody, and half a decade with nobody claiming to have solved the issue up to now.

      So when you believe that your computer with an EDS is safe just because you can’t use it, think again.

    • lobut@lemmy.ca
      link
      fedilink
      arrow-up
      25
      ·
      5 months ago

      The most secure computer is the one not running any software. That’s why I recommend Crowdstrike.

  • Justin@lemmy.jlh.name
    link
    fedilink
    English
    arrow-up
    104
    ·
    5 months ago

    The fact that random companies like Crowdstrike have kernel drivers in millions of computers they they ship remotely is a security risk in and of itself. We’re lucky crowdstrike just shipped a bug that crashes computers, other companies could have shipped a lot worse.

    • Marduk73@sh.itjust.works
      link
      fedilink
      arrow-up
      4
      ·
      5 months ago

      I laugh and it does/did(over now) affect me. Bwahaha. Im getting work done and nobody can interrupt with email.

      • jj4211@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        All I’ve noticed is that a lot of internet related things in my work are much faster today.

        The schadenfreude could only be sweeter if my company used CrowdStrike on all the Windows systems. Then I really would have had a very peaceful focused day.

    • Robin@lemmy.world
      link
      fedilink
      English
      arrow-up
      37
      ·
      5 months ago

      For a company this big it would also have to have gotten past a code review and QA team, right? … right? …

        • yrmp@lemmy.world
          link
          fedilink
          arrow-up
          6
          ·
          5 months ago

          We do.

          “If something goes down over the weekend, fewer people see it” - my leadership team.

          I guess Asia can report the problem on Sunday and I’ll get a nastygram and fix it that afternoon.

      • merc@sh.itjust.works
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        Code review, QA team, hours of being baked on an internal test network, incremental exponential roll out to the world, starting slow so that any problems can be immediately rolled back. If they didn’t have those basics, they have no business being a tech company, let alone a security company who puts out windows drivers.

    • qjkxbmwvz@startrek.website
      link
      fedilink
      arrow-up
      19
      ·
      5 months ago

      Yeah, something this big is absolutely not one engineer’s fault. Even if that engineer maliciously pushed an update, it’s not their fault — it was a complete failure of the organization, and one person having the ability to wreck havoc like this is the failure.

      And I actually have some amount of hope that, in this case, it is being recognized as such.

        • merc@sh.itjust.works
          link
          fedilink
          arrow-up
          9
          ·
          5 months ago

          No they won’t, not if they’re in the slightest bit competent.

          Blameless post-mortem culture is very common at big IT organizations. For a fuck-up this size, there are going to be dozens of problems identified, from bad QA processes, to bad code review processes, to bad documentation, to bad corner cases in tools.

          There will probably be some guy (or gal) who pushed the button, but unless what that person did was utterly reckless (like pushing an update while high or drunk, or pushing a change then turning off her phone and going dark, or whatever) the person who pushed the button will probably be a legend to their peers. Even if they made a big mistake, if they followed standard procedures while doing it, almost everyone will recognize they’re not at fault, they just got to be the unlucky person who pushed the button this time.

    • explodicle@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      5
      ·
      5 months ago

      He’ll just get fired, apply somewhere else, and they’ll only know the dates he worked at CrowdStrike.

      If anybody cared, they would have switched away from M$ by now.

  • CileTheSane@lemmy.ca
    link
    fedilink
    arrow-up
    40
    ·
    5 months ago

    Also: don’t trust your employees to boot into safe mode.
    Trust a 3rd party to freely install system level files at any time.

    I knew how to fix the computers at work today in the morning, but we couldn’t get through to the help desk to get the bit locker codes for each computer until near the end of the day.

    • cqst
      link
      fedilink
      arrow-up
      15
      ·
      edit-2
      5 months ago

      Also: don’t trust your employees to boot into safe mode. Trust a 3rd party to freely install system level files at any time.

      Exactly. This is exactly the problem, and unless people wisen up the software security problem is only going to get worse. Companies and Governments need to rethink how they approach security entirely. This is a preview of what is to come, its only going to get worse and more damaging from here, and none of the vendors care.

      • uis@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        5 months ago

        Companies and Governments need to rethink how they approach security entirely. This is a preview of what is to come, its only going to get worse and more damaging from here, and none of the vendors care.

        It is easy one for goverments. Ban security through obscurity. As well proprietary security software.

        Moonbutt’s moonbuck))) Have I seen you somewhere?

        • cqst
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          5 months ago

          Ban security through obscurity. As well proprietary security software.

          The government likes proprietary software. They are never going to ban it.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    32
    ·
    5 months ago

    I’m pretty sure Windows is plenty secure. It isn’t private or usercentric but of on a security perspective it isn’t bad.

    Linux has plenty of security problems just like any OS

    • bambooOP
      link
      fedilink
      English
      arrow-up
      30
      ·
      5 months ago

      Defending Windows in a linux memes community.

      That’s a bold move cotton, let’s see how that works out for 'em

    • cqst
      link
      fedilink
      arrow-up
      17
      ·
      edit-2
      5 months ago

      I’m pretty sure Windows is plenty secure.

      Haha sure. Windows NT MIGHT be considered ‘secure’ from an architectural standpoint but literally of this falls apart when you tape all the Microsoft Dark Patterns on it that ruin the security. Its a joke, and that’s the entire problem.

      Think: Microsoft Accounts, now the “secure” Windows NT Local User Authentication is effectively backdoored by MS and makes you vulnerable to phishing attacks. Windows Update: Constantly pushing dark patterns and ‘features’ that it discourages people from updating so then guess what, people don’t update! The fact that Windows so easily allows Crowdstrike to make system level changes like this without trying a whiny fit is also apart of it. Think about the fact how easily Microsoft allows stuff like Valorant anti-cheat and Crowdstrike, which are effectively rootkits, to be installed with one UAC prompt. In reality this issue is not really Microsoft’s fault directly, but in a bunch of indirect ways they encourage this and allow it to happen, and we have seen time and time again, Microsoft DOES NOT CARE ABOUT SECURITY.

      If anything this “Crowdstrike” software showcases the endemic problem in software security and how our system is failing and continuing to fail us. Its an anti-virus, but we already HAVE Windows Defender. These corporations should not be using some random 3rd party Antivirus, I doubt it even does much good, its just cargo-culting “oh, this is industry standard, so we have to use it.” This is the kind of thinking/approach that Microsoft encourages.

      • Possibly linux@lemmy.zip
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        Well an organization shouldn’t be giving end users admin. That’s a recipe for disaster. From an updates perspective you can tightly control which update is applied and when.

        Microsoft makes some crappy decisions but they do know who there big customers are.

    • jabjoe@feddit.uk
      link
      fedilink
      English
      arrow-up
      25
      ·
      edit-2
      5 months ago

      Few things, in rough order:

      • Smaller = less attack surface. You can strip a Linux OS down to only what is needed.

      • Open source, so it’s can be peered review. There are Unix distros like OpenBSD, that share lot of user space component options, where auditing is a big thing. The whole sunlight and oxygen stops things festering as much. As abosed to things locked in a box in another box down in a cellar.

      • Open source transparency forces corporates to be better. We can see what they are and aren’t doing.

      • Diversity. The is no “Linux”, it’s a ecosystem of Linux distros all built and configured differently, using different components. Think of Linux as just a type of base board in a sea of Unix Lego bits. There are plenty of big deployments on BSD bases that share a lot with some Linux deployments.

      • Unix security is simplier than Windows security, so easer to not mess up.

    • catnip@lemmy.zip
      link
      fedilink
      arrow-up
      14
      ·
      5 months ago

      Its not and everyone who says it does is full of shit. The reason linux doesnt need av is that av is secretly overrated

    • uis@lemm.ee
      link
      fedilink
      arrow-up
      13
      ·
      5 months ago

      In general it is. Opensource software has less bugs that proprietary. And even those bugs can be mitigated with hardening.

      • count_dongulus@lemmy.world
        link
        fedilink
        arrow-up
        5
        ·
        5 months ago

        That’s…a gross oversimplification. Super popular open source projects tend to have few bugs from the sheer number of contributors available to fix them, but active proprietary software has dedicated teams working fulltime every week to deal woth issues. Proprietary stuff is often way wider in scope than open source, so more surface for bugs to creep in. Scope and team size have a lot more to do with bug density than open vs closed source.

        • mexicancartel@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          5 months ago

          I don’t know how much effort thoose proprietary software companies put into the actual software. Why is windows so shit? Why is whatsapp buggy? They try to get money with shit software with no optimisations at all.

          • count_dongulus@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            5 months ago

            How many open source projects have 50 million lines of code like Windows, or legal agreements related to backwards compatibility and version support guarantees?

            A for-profit company is going to focus on whatever generates revenue, sure. But crappy software will lose customers in a non-monopoly scenario. They’re not exactly incentivized to make broken things nobody wants.

    • Angry_Autist (he/him)@lemmy.world
      link
      fedilink
      arrow-up
      12
      ·
      5 months ago

      It’s not, in fact out of the box Linux is SIGNIFICANTLY more insecure than windows.

      The thing is, hackers and hack tool makers target the largest market segment to gain the most conversions.

      Apple users used to gush about how virus proof they were until they hit decent market share, and then they got plenty of malware.

      Same thing with Linux but the real difference is you need a few decades of linux experience to fix anything in a timely manner.

      • Empricorn@feddit.nl
        link
        fedilink
        English
        arrow-up
        9
        ·
        edit-2
        5 months ago

        Linux is SIGNIFICANTLY more insecure than windows.

        Absolutely not true. I assume you don’t have a source for this? Besides your butt…?

        UPDATE:: They did not have a source.

        • Angry_Autist (he/him)@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          Does Linux come out of the box with A/V and firewalls?

          On second thought, you’re dismissive little aside just convinced me to excise you from my internet experience for all eternity.

          Ta…

          • itslilith
            link
            fedilink
            arrow-up
            7
            ·
            5 months ago

            AV is a bandaid for the horrible way software is handled in Windows. Linux is far from perfect, but package repositories are such a step up when it comes to security.

            • Abnorc@lemm.ee
              link
              fedilink
              arrow-up
              3
              ·
              5 months ago

              There is still the need to add repositories and download packages from the web every so often though. I don’t see why AV isn’t more common. It doesn’t stop the more clever and up to date attacks, but some protection from the simple things wouldn’t hurt.

          • Empricorn@feddit.nl
            link
            fedilink
            English
            arrow-up
            4
            ·
            edit-2
            5 months ago

            What a dumb argument. You have to configure firewall rules for Windows and Linux. That is like the first thing any competent admin will do, no matter what OS they are working with…

        • MehBlah@lemmy.world
          link
          fedilink
          arrow-up
          6
          ·
          5 months ago

          It isn’t. Most distro’s leave the firewall disabled on install but what services are exposed? None. Most are set to localhost only and ssh is normally not installed or enabled. Antivirus on windows especially defender just seems to keep me from doing my job. For instance every decent utility from nirsoft is detected by defender as being infected. I suspect microsoft hates those utilities that allow you to back up credentials and most critically license keys.

          I do agree that the main thing that keeps linux from being as easily exploited is the more about the average linux user and less about inherent security. I’ve only had one Linux machine exploited in thirty years and it was a older version of Debian that a vendor disabled the automatic updates on when it was installed. I woke one morning to 10gb of upstream traffic on my traffic graphs. The attacker had gained access through a outdated version of apache. The fools who had compromised the system couldn’t understand why he had to work through a rdp session to reinstall his product when I reloaded it with the latest version. The fool was pissed that I had updated debian. My boss pressed them until they agreed it was time to let debian 7 go since the latest at the time was debian 9.

          But in the end the breach happened because of a foolish vendor with outdated ideas regarding updating a OS.

          • KubeRoot@discuss.tchncs.de
            link
            fedilink
            English
            arrow-up
            3
            ·
            5 months ago

            Does windows come preinstalled and preconfigured with more potentially vulnerable software on open ports?

            I personally don’t value an antivirus that much, since it can only protect you from known threats, and even then, it only matters when you’re already getting compromised - but fair point for Windows, I suspect most distros come without antivirus preinstalled and preconfigured.

            A firewall, on the other hand, only has value if you already have insecure services listening on your system - and I’m pretty sure on Windows those services aren’t gonna be blocked by the default settings. All that said though… Most Linux distros come with a firewall, something like iptables or firewalld, though not sure which ones would have it preconfigured for blocking connections by default.

            So while I would dispute both of those points as not being that notable, I feel like other arguments in favor of Linux still stand, like reduced surface area, simpler kernel code, open and auditable source.

            One big issue with Linux security for consumers (which I have to assume is what you’re talking about, since on the server side a sysadmin will want to configure any antivirus and firewall anyways) could be that different distributions will have different configurations - both for security and for preference-based things like desktop environments. This does unfortunately mean that users could find themselves installing less secure distros without realizing it, choosing them for their looks/usage patterns.

      • vsis@feddit.cl
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        target the largest market segment to gain the most conversions.

        Windows market share is bigger in desktop only. In fact, is kinda sad that still there are serious institutions using Windows for non-desktop stuff. I hope this incident changes it.

        the real difference is you need a few decades of linux experience to fix anything in a timely manner.

        [ citation needed ] Probably you are meaning desktop again. Although troubleshooting Windows is not easy task neither, there are way more desktop users familiar with it.

        The real thing is

          1. There is no single “linux” OS. There are lots of different OSes based on Linux kernel. And they are for servers, desktop, embedded systems, smartphones, etc.
          1. More important. Security is a process, not a product from a vendor. The root cause of this incident is that some institutions are seeing that you just buy “security”, install it, and call it a day. No important stuff should auto-update. And no institution should auto-update lots of important stuff at the same time.

        So, Linux is not really more secure. But is built in a culture where security is taken more seriously.

    • Simulation6@sopuli.xyz
      link
      fedilink
      arrow-up
      12
      ·
      5 months ago

      Sort of an aside, but I am seeing Microsoft more as a hostile entity that I need to protect myself from.

    • save_the_humans@leminal.space
      link
      fedilink
      English
      arrow-up
      7
      ·
      5 months ago

      In addition to what others have said, there’s the move towards containerized applications on Linux via flatpaks, immutable distributions, and snapshots/rollbacks. There are also distributions like Debian with a delayed package release schedule for added stability and security. Its my understanding that you could have an exceptionally secure, effectively trustless, Linux system beyond what is possible on Mac or Windows.

    • Johanno@feddit.org
      link
      fedilink
      arrow-up
      7
      ·
      5 months ago

      It isn’t.

      However security software for Linux usually doesn’t operate in kernel level usually. And it doesn’t brick your bios.

      That being said because of how Linux works it is much more possible to safe a bricked Linux machine than a Windows machine.

    • ulterno@lemmy.kde.social
      link
      fedilink
      English
      arrow-up
      5
      ·
      5 months ago

      If you follow the philosophy that it follows, that is, giving the least possible permission to any application, to make it work, it easily becomes much more secure than Windows.

      On the other hand, if you log into your GUI desktop as root, Bill Gates save you.

  • Brkdncr@lemmy.world
    link
    fedilink
    arrow-up
    7
    ·
    5 months ago

    MS’s built-in security platform is top tier also. Some companies like alternative products.

    • curbstickle@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      5 months ago

      There is nothing Microsoft I would consider “top tier” when it comes to security.

      Defender does a great job for many AV tasks. Crowdstrike does more, and protection isn’t tied to windows updates.

      This isn’t a situation where companies just chose not to use the free item, the free item has other costs (management overhead) and is missing some features.

      The best answer, of course, is to not use windows for anything that needs to be secure.

      Edit: For those who think I’m wrong, cool. I’m not but you are welcome to disagree.

      There is a difference between the free defender and paid for defender. If you’re a home user, check out defenderui.com to get (many, not all) features that are normally limited to intune/gpo.

      A full and proper deployed defender stack is very good, but in terms of management… The approach to different os’s is practically cobbled together, the webui is horrific, and it lacks some basic functionality. A problem to manage a system like this is a problem to deploy a system like this.

      If you’re on the free Defender level, you are not getting anywhere near the same features as falcon, there is absolutely zero question about that.

      • MajorHavoc@programming.dev
        link
        fedilink
        arrow-up
        4
        ·
        5 months ago

        The best answer, of course, is to not use windows for anything that needs to be secure.

        Edit: For those who think I’m wrong, cool. I’m not but you are welcome to disagree.

        • Linux admins here: Quiet nods and knowing looks.
        • Windows admins here: quiet awkward glances at each other to see if anyone wants to defend MS today.
        • Mac admins here: quiet awkward glances to see if anyone feels like this was any better than a coin toss chance of happening just to Macs, today, instead.
        • merc@sh.itjust.works
          link
          fedilink
          arrow-up
          6
          ·
          5 months ago

          Theoretically, this could hit Linux too. You could run a Linux kernel mod containing closed source stuff from a third party vendor which causes the system to kernel panic. The difference is really cultural. Linux admins would howl at that kind of setup, whereas for Windows it’s more standard.

      • Refurbished Refurbisher@lemmy.sdf.org
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        There is nothing Microsoft I would consider “top tier” when it comes to security.

        Counterpoint: Xbox consoles. They just stick everything inside of VMs a la QubesOS

          • Refurbished Refurbisher@lemmy.sdf.org
            link
            fedilink
            arrow-up
            4
            ·
            5 months ago

            Seems like that’s a Windows issue and not Xbox. There was a recently released kernel exploit for Xbox, but it’s sandboxed to the SystemOS.

            If you want to pwn the Xbox OS entirely, you would need a hypervisor escape exploit, which is very difficult to accomplish.

            • curbstickle@lemmy.dbzer0.com
              link
              fedilink
              arrow-up
              3
              ·
              5 months ago

              That’s gaming services, so I guess it’s windows only then, you’re right. Like I said, no idea regarding anything about current consoles for me. Haven’t played on a console since the 360.

              • Refurbished Refurbisher@lemmy.sdf.org
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                5 months ago

                Are you familiar with QubesOS? It has a similar security model to the Xbox consoles.

                Basically, the host OS only exists to run VMs, which includes separate VMs for networking, USB devices, applications, etc. With QubesOS, you can also pass through something like a GPU for use in a dedicated gaming VM (although you can do that on any Linux distro).