Single point of failrule (lemmy.blahaj.zone)

submitted 1 month ago by [email protected] to c/[email protected]

27 comments fedilink hide all child comments

top 27 comments

sorted by: hot top controversial new old

[-] [email protected] 27 points 1 month ago

Thank you, I am fucking sick of people passing this comic around in relation to the Crowdstrike failure. Crowdstrike is a $90bn corporation, they're not some little guy doing a thankless task. They had all the resources and expertise required to avoid this happening, they just didn't give a shit. They want to move fast and break things, and that's exactly what they did.

[-] [email protected] 11 points 1 month ago

They're so far from being the little guy, their CEO has extensive experience DOING LITERALLY THIS SAME THING 14 YEARS AGO

[-] [email protected] 3 points 1 month ago

The NSA should hire him to do an internal audit.

[-] [email protected] 6 points 1 month ago

Off topic but that "move fast and break things" line from Zuck irks me quite a bit. Probably because it's such a bratty corporate billionaire thing to say

[-] [email protected] 2 points 1 month ago* (last edited 1 month ago)

It works in most software because the cost of failure is cheap. It's especially cheap if you can make that failure happen early in the development process. If anything, I think the industry should be leaning into this even harder. Iterate quickly and cause failures in the staging environment.

This does not work out so well for things like cars, rockets, and medicine. And, yes, software that runs goddamn everything.

[-] [email protected] 3 points 1 month ago

The problem is that this strategy is becoming more popular in physical product development, for things that we’ve known how to make for decades.

You don’t need to move fast and break things when you’re making a car. We’ve been making cars on assembly lines for a hundred years, innovation is going to be small.

Same thing for rockets. We put men on the moon 50 years ago for fucks sake. Rocketry is a well understood engineering field at this point. We know exactly how much force needs to exerted, we know exactly the stresses involved. You don’t need to rapidly iterate anything. Sit down, do the math, build the thing to spec, and it fucking works: see ULA, ESA, and NASA who have, all in the past few years, built rockets and had them successfully complete missions on the first launch without blowing up a bunch to “gather data”

Move fast and break things is for companies that have crackhead leadership who can’t make up their mind about what a product should do. It should have no place in real world engineering, where you know what your product is going to be subject to.

[-] [email protected] 1 points 1 month ago

“Looks at SpaceX”, Iterate quickly and break things can work for rockets, it just depends on the development phase and the type of project. I wouldn’t “iterate quickly” with manned, extra terrestrial or important cargo missions.

But it can be used for the early development of rockets. Space X had a deep well of proven technology to draw upon during the development of the Falcon rocket. They put the tech together and iterated quickly to get a final product.

Blue Origin as well as the Artemis program both use traditional techniques with similar proven technologies. I’d argue they aren’t as successful or were never intended to be successful (Artemis is just a jobs program for shuttle contractors at this point).

[-] [email protected] 2 points 1 month ago

Besides, they are not even in the stack.

They are just out, throwing shit at it.

[-] [email protected] 0 points 1 month ago* (last edited 1 month ago)

You're right people should have high expectations of crowd strike since it's a well funded company, and they should provide better support to the random project with a single maintainer.

That said, is there any indication crowd strike is a "move fast and break things" company? Sometimes people just fuck up, even if they don't have a crazy ideology.

[-] [email protected] 1 points 1 month ago* (last edited 1 month ago)

You want proof they move fast and break things? They pushed an untested software update with auto update without rollout phases. How’s that for move fast? As for break things, well, do I need to explain?

[-] [email protected] 0 points 1 month ago

Posting a "relevant" xkcd and acting like it's clever is some people's excuse for a personality.

[-] [email protected] 0 points 1 month ago

If everybody else is doing the same thing, yeah.

[-] [email protected] 7 points 1 month ago

Yep, its not the cave gremlin that codes clean and efficiently, using 1/10th of the amount of code lines, that fucks it up. Its the bloated commercial software vendors that break their software every week.

[-] [email protected] 3 points 1 month ago

it's* not the cave gremlin
It's* the bloated commercial software vendors

[-] [email protected] 1 points 1 month ago

Love your account name

[-] [email protected] 2 points 1 month ago

It's no tits.

[-] [email protected] 1 points 1 month ago

...or it's the gremlin who tries to get by, but only has like 30min a week for his project, since he has a day job and two gremlettes to feed.

See the xz debacle.

The underlying problem is, that there's no monetary value being assigned to good software. As long as it's good enough to sell it and buy insurance, that's fine.

[-] [email protected] 3 points 1 month ago

If the Falcon driver was open source, someone might have actually caught the bug ahead of time.

[-] [email protected] 2 points 1 month ago

I doubt it. Few people are volunteering their time reading pull requests of random repos. It probably went fast from pull request to deployment, so there would be no time for anyone external to read.

The only thing open source would’ve done is to give us a faster explanation of why it happened after the fact.

[-] [email protected] 4 points 1 month ago

Considering this is a cybersecurity product that requires installing a kernel mode driver on mission-critical hardware, I guarantee at least a few people would have been interested in looking at the source if they had the opportunity. Or tried to convince their employers purchasing the software to pay for a third-party audit.

The update that broke everything only pushed data, not code. The bug was extant in the software before the update, likely for years. Can I say for sure that a few extra eyes on the code would have found the problem ahead of time? No, of course not. But it couldn't have hurt.

[-] [email protected] 0 points 1 month ago

The update that broke everything only pushed data, not code. The bug was extant in the software before the update, likely for years.

A terrifyingly large number of critical issues come to light like this. The code has been broken since the first release, but nobody noticed until a certain edge-case occurs.

[-] [email protected] 1 points 1 month ago

Exactly. Even worse, a bug like this isn't just a crash waiting to happen. It's also a massive security hole.

If an incompetently written file can crash the system, there's a decent chance that a maliciously crafted file could have allowed the complete takeover of it. Memory safety bugs, especially in kernel code, are very serious.

A lack of validation would have been a glaring red flag to any outsider looking at the code, but it's exactly the kind of thing someone who's worked on the software forever could easily overlook. It's so, so easy to lose sight of the forest for the trees.

[-] [email protected] 2 points 1 month ago

Expected behavior: The file is not composed of null bytes.

Actual behavior; The file is composed entirely of null bytes.

[-] [email protected] 1 points 1 month ago

Can you have open source anti virus software?

[-] [email protected] 2 points 1 month ago* (last edited 1 month ago)

Yes. Security through obscurity is an illusion. ClamAV is a well known and high performance open source AV solution.

Edit: Here is the CWE entry on the topic in case anybody wants to read some more details as to how and why obscurity is not a valid approach to security.

[-] [email protected] 0 points 1 month ago

Not easily.

Anti-virus companies--when they do it right--have tightly controlled air-gapped systems that they use to load viruses and test countermeasures. It takes a lot of staff to keep those systems maintained before we even talk about the programming involved, plus making sure some idiot doesn't inadvertently connect those machines to the main building WiFi.

There was at least one confirmed case of a virus spreading through speakers and microphones. What "air-gapped" means is pretty extreme.

If it's possible at all, it'd have to be through significant donations or public funding. A volunteer effort isn't going to cut it.

[-] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Well it isn't actually a confirmed case. Ruiu, the original person reporting the issue wasn't sure exactly what the surface area of attack was at the start. Ruiu Dragos, who is a security researcher believed it infected via speakers.

Eventually Errata CEO, Robert Graham, said that if he spent a year, he could build malware that did the same and that it was 'really, really easy'

Eventually, Ruiu noticed that the initial stage of infection was from one of his USB sticks.

The speakers part comes in that he found that the packets transmitted between badBIOS infected machines stopped if he disconnected the internal speaker and microphone.

Meaning, that sure, badBIOS may communicate data with each other via speakers but that it has never been proven that it could actually infect another machine via speakers. However, that hasn't stopped articles from conflating things.

this post was submitted on 22 Jul 2024

39 points (100.0% liked)

196

16190 readers

2204 users here now

Be sure to follow the rule before you head out.

Rule: You must post before you leave.

^other^ ^rules^

founded 1 year ago

MODERATORS

[email protected]