IT/Software career thread: Invert binary trees for dollars.

  • Guest, it's time once again for the massively important and exciting FoH Asshat Tournament!



    Go here and give us your nominations!
    Who's been the biggest Asshat in the last year? Give us your worst ones!

TJT

Mr. Poopybutthole
<Gold Donor>
43,061
110,048
Seems like that's a pretty big crowd.

Even if you have good practices if you have dependencies on other organizations where they shit the bed you still have problems.
 

moonarchia

The Scientific Shitlord
24,291
45,620
My company is so cheap it would make Scrooge blush. So of course we do not have the resources to test anything like that, so that stuff went live immediately.
 

rhinohelix

Dental Dammer
<Gold Donor>
3,096
5,107
I work for a Fortune 10 company that is constantly the target of radical ideologues, state actors and cyber criminals. Normally you would have a test/dev/stage level of deployment for most things, and even for most anti-malware stuff, there is some level of testing. CrowdStrike is different, though, and is trusted to protect against 0-day attacks; for that, you don't pass go and trust their updates, assuming they aren't going to fuck you. They have made billions being the go-to provider for a huge chuck of the world in that regard. It appears they let a broken kernel-level .sys driver as part of its Falcon Sensor update out into the wild which caused BSODs on every version of Windows it touched. It didn't break Azure or AWS itself but rather all the VMs.

Easy to fix: All you had to do was manually boot into Safe/Recovery mode and delete the file. Let me say that again.
All you had to do
is
MANUALLY
Log in
to every Virtual machine in every private host and public/private cloud you had VMs/Guests.
In a world in which people don't have to pay for physical hardware, the VM estate sprawl and labor shrinkage that has taken place in the last 15 years in AMAZING: Fewer people are managing more machines than ever before.


It's an interesting moment and a wake up call for many folks.
 

Palum

what Suineg set it to
27,210
42,970
I work for a Fortune 10 company that is constantly the target of radical ideologues, state actors and cyber criminals. Normally you would have a test/dev/stage level of deployment for most things, and even for most anti-malware stuff, there is some level of testing. CrowdStrike is different, though, and is trusted to protect against 0-day attacks; for that, you don't pass go and trust their updates, assuming they aren't going to fuck you. They have made billions being the go-to provider for a huge chuck of the world in that regard. It appears they let a broken kernel-level .sys driver as part of its Falcon Sensor update out into the wild which caused BSODs on every version of Windows it touched. It didn't break Azure or AWS itself but rather all the VMs.

Easy to fix: All you had to do was manually boot into Safe/Recovery mode and delete the file. Let me say that again.
All you had to do
is
MANUALLY
Log in
to every Virtual machine in every private host and public/private cloud you had VMs/Guests.
In a world in which people don't have to pay for physical hardware, the VM estate sprawl and labor shrinkage that has taken place in the last 15 years in AMAZING: Fewer people are managing more machines than ever before.


It's an interesting moment and a wake up call for many folks.
I still maintain anyone who didn't follow any change control and auto updates everything direct into prod is an idiot begging for exactly what happened Friday. I don't understand how after having so many supply chain attacks everyone forgot that too.

1000001614.png
 
  • 2Like
  • 1Truth!
Reactions: 2 users

rhinohelix

Dental Dammer
<Gold Donor>
3,096
5,107
I still maintain anyone who didn't follow any change control and auto updates everything direct into prod is an idiot begging for exactly what happened Friday. I don't understand how after having so many supply chain attacks everyone forgot that too.

View attachment 537773
You're not wrong; in a perfect world, everyone should follow textbook ITIL design. I used to be a Datacenter Mgr at a mid-sized company, and we had perfect ITIL test/dev/stage environments for every app or suite; Change Management was rigorously followed, and things were done by the book unless we were in a Major Incident. 0-Day attacks weren't quite the thing back then but as I moved to larger companies, the rigorous T/D/S segmentation broke down as the environments got larger and the estates sprawled out, and were subject to business cycles. When you have a couple thousand servers, its one thing. When you have 35,000+ servers and 100,000 laptops, (and more as the size and footprint of the enterprise grows) quantity takes on a quality all its own. IRM/CyberDefense isn't my area but they determined that speed of response was more important than extensive QA testing/prevention, particularly with how well CrowdStrike was trusted.

They may want to rethink that architecture after Friday.
 

TomServo

<Bronze Donator>
7,176
10,510
You're not wrong; in a perfect world, everyone should follow textbook ITIL design. I used to be a Datacenter Mgr at a mid-sized company, and we had perfect ITIL test/dev/stage environments for every app or suite; Change Management was rigorously followed, and things were done by the book unless we were in a Major Incident. 0-Day attacks weren't quite the thing back then but as I moved to larger companies, the rigorous T/D/S segmentation broke down as the environments got larger and the estates sprawled out, and were subject to business cycles. When you have a couple thousand servers, its one thing. When you have 35,000+ servers and 100,000 laptops, (and more as the size and footprint of the enterprise grows) quantity takes on a quality all its own. IRM/CyberDefense isn't my area but they determined that speed of response was more important than extensive QA testing/prevention, particularly with how well CrowdStrike was trusted.

They may want to rethink that architecture after Friday.
Turns out our infosec engineers had auto in prod on.

Thousands of servers bricked. Lolz
 
  • 1Worf
Reactions: 1 user

TJT

Mr. Poopybutthole
<Gold Donor>
43,061
110,048
Will any of them get let go over it?

My job was unaffected by it but external dependencies that did have these issues did cause us some problems.
 

Palum

what Suineg set it to
27,210
42,970
Will any of them get let go over it?

My job was unaffected by it but external dependencies that did have these issues did cause us some problems.
This is America people don't get held accountable, they get promoted! They just justified quadrupling their budgets!
 
  • 2Truth!
  • 1Solidarity
  • 1Worf
Reactions: 3 users

Control

Bronze Baronet of the Realm
3,116
8,228
Firing up the work laptop this morning after taking last week off:
Nervous Ted Striker GIF by filmeditor
 
  • 2Worf
Reactions: 1 users

TomServo

<Bronze Donator>
7,176
10,510
Will any of them get let go over it?

My job was unaffected by it but external dependencies that did have these issues did cause us some problems.
Dude. No one is accountable this days.
 
  • 1Worf
  • 1Like
Reactions: 1 users

Haus

<Silver Donator>
13,061
50,954
I still maintain anyone who didn't follow any change control and auto updates everything direct into prod is an idiot begging for exactly what happened Friday. I don't understand how after having so many supply chain attacks everyone forgot that too.

View attachment 537773
Another option to take exists. I'm not sure if it exists in Crowdstrike as it's been a hot minute since I was working through their UI and options but...

In most modern EDR/NGAV tools I have worked with there are options for "Auto-update, but delay X days before applying it". Which then would have bought you time to hit the "DO NOT UPDATE" button if a bad patch got out and bombed others.... This is a middle ground for those who don't have the resources to do their own full dev/test/prod motion and figure to let the rest of the world take the hit. ;)

Giving ANY tool, even your trusted to stop zero days tool, immediate access is taking on risk. Now, question becomes if you hadn't had absolutely lightning fast coverage for zero days how many system hours would you have lost, or data lost versus what you experienced Friday.
 
  • 1Like
Reactions: 1 user

Palum

what Suineg set it to
27,210
42,970
Another option to take exists. I'm not sure if it exists in Crowdstrike as it's been a hot minute since I was working through their UI and options but...

In most modern EDR/NGAV tools I have worked with there are options for "Auto-update, but delay X days before applying it". Which then would have bought you time to hit the "DO NOT UPDATE" button if a bad patch got out and bombed others.... This is a middle ground for those who don't have the resources to do their own full dev/test/prod motion and figure to let the rest of the world take the hit. ;)

Giving ANY tool, even your trusted to stop zero days tool, immediate access is taking on risk. Now, question becomes if you hadn't had absolutely lightning fast coverage for zero days how many system hours would you have lost, or data lost versus what you experienced Friday.
Yea you can set host groups to n-1 on auto and then push updates I'm pretty sure.
 
  • 1Like
Reactions: 1 user

Deathwing

<Bronze Donator>
16,903
7,910
Are you really doing your job if you aren't making your neurotic security "expert" anxious about not applying updates?
 

Khane

Got something right about marriage
20,521
14,253
My company doesn't auto push updates for anything except for, apparently, crowdstrike because it went out to every single machine in our company on Friday including all of our personal laptops lol.

I couldn't even get anyone from the help desk on the line to get me my bitlocker key so I could delete the offending file and get past the BSODs until Sunday. It was hilarious.
 
  • 1Solidarity
Reactions: 1 user

Palum

what Suineg set it to
27,210
42,970
I just got a text from a sys admin I worked with 15 years ago asking if I remembered some local account admin password from a particular server because crowdstrike nuked it.

Boy do I have questions.
 
  • 2Double Worf
  • 2Worf
  • 1Wow!
Reactions: 4 users

Haus

<Silver Donator>
13,061
50,954
I have friends who work at Crowdstrike.... I'm starting to worry and think I might need to do some welfare checks on them. They can't be doing well right now.
 
  • 1Solidarity
Reactions: 1 user

rhinohelix

Dental Dammer
<Gold Donor>
3,096
5,107
I just got a text from a sys admin I worked with 15 years ago asking if I remembered some local account admin password from a particular server because crowdstrike nuked it.

Boy do I have questions.
I am not on the frontlines but the CyberDefense war is real, yo. Nobody wants to be Maersk, Colonial Pipeline or fall victim to a Solar Winds™ style extended attack.
 
  • 1Truth!
Reactions: 1 user

Palum

what Suineg set it to
27,210
42,970
I am not on the frontlines but the CyberDefense war is real, yo. Nobody wants to be Maersk, Colonial Pipeline or fall victim to a Solar Winds™ style extended attack.

Nah it was legit the guy. It was more sad than shocking.