👋 Hi, it’s big, so here’s a Table of Contents:

Comments? Use this Mastodon thread for them.

Intro

By the time I was getting the first information about Azure problems, I wrote the following in mastodon:

It was a bit tongue-in-cheek, I confess:

  • I don’t like Microsoft for their harmful actions related to Free Software, namely backroom deals with politicians, software patents, fake standards, and so on. They persist with this harmful behaviour, regardless of your mis-perception of them “liking opensource”. Lipstick on a pig, as the saying goes.
  • Even if being the root cause, quickly throwing a partner under the bus in order to say all is fine with our infrastructure is a double edged sword
  • I believe people betting on other people’s computers without exit strategies are being naĩve at best.

And I have a nagging suspicion that at least at some milieus there the feeling is quite mutual. 😁

However the following two posterior snippets are quite insightful in two major, related but different, ways:

So enough self masto-promo and let’s expand on the subject.

What is Crowdstrike Falcon?

The piece that “broke millions of computers” is called Crowdstrike Falcon®, which Crowdstrike itself describes it as

CrowdStrike Falcon is the foundation of next-generation endpoint protection. Discover the power of real-time threat detection, simplified management, and proactive threat hunting, and unleash the unmatched protection of CrowdStrike.

  • You install the botnet sensor agent
  • Which will get it’s instructions from The Command And Control server Cloud!
  • Which will run in the background with maximum privileges
  • Which it needs to blocks you attacks on your systems while capturing and recording spying your activity

Did you get the subtext?

What happened?

Crowdstrike published many details over here but since you’re already here, I invite you to check them out after reading my post to check if I said something wrong, but don’t get distracted right now.

So someone with enough privileges at Crowdstrike updated a channel file, named ‘C-00000291*.sys’, which either wasn’t thoroughly tested or, more likely, that it had something that wasn’t caught in the defined test set. It happens and sometimes you only catch it real life deployments, pants down and all.

Promptly, the botnet sensor agent downloaded and applied the file, rendering many (alledgedly millions) endpoints (jargon for your working computer running Microsoft Windows, but also any other Microsoft Windows computer) unusable.

You may recognize this image from Introduction of Botnet in Computer Networks

Of course the solution would be to remove this channel file so you could regain access to your endpoint and let the botnet sensor agent download the updated one with the proper content.

However this was a nightmare to many infrastructure technicians and support helpdesks. Countless finantial value was lost in sudden unavailability everywhere.

I can only wish it was so easy to detect one had a real botnet agent installed and there was an issue with the Command and Control servers. 😁

Why such a big impact?

Botnets usually have some means of spreading the infection. Usually it’s automated and works seamlessly in the backround.

But this type of botnets are willingly paid for and installed in computers.

Decision makers at companies (C-level and D-Level) feel desperate to gain some semblance of control over the uncontrollable risk of running Microsoft Windows in internet connected computers rather than taking sensible long term changes are quick to accept promised silver bullets from some vendor they can afterwards play the blame game should something fail (like it did now, but I mean in terms of malware impacts).

So it goes something like this:

  • You want to keep using Microsoft Windows, despite the risks
  • You want to control your employees, despite the doubtful morality (or even legality in certain jurisdictions, as I believe this kind of software use is in Portugal if used in employee workstations as direct surveillance is severely conditioned)
  • Through marketing, word of mouth, or social media posts from other fools you learn about this silver bullet
  • You Purchase & Deploy
  • You participate in word of mouth or social media, sometimes in marketing (maybe with a discount value over at Crowdstrike)
You may also recognize this image from Introduction of Botnet in Computer Networks

Include some quite big companies with many thousands of endpoints, some with hundreds of thousands, and you get the gist of it…

Let me make this very clear: you volunteered to pay for and install a #botnet software in your computers. Now it’s #commandandcontrol servers had an issue and it broke your business.

Yeah, it’s your fault.

What should be done?

There are many things that should be done, it’s not a single factor.

Use Free Software!

One that, to me, is obvious is the need to stop using proprietary software, namely Microsoft Windows.

You’re delegating your trust and security to only your vendors. Your ability to participate in the ecosystem is very low to null.

With Free Software, specially famous components, there are many more people working on it, and you can add your hands too, should you find anything.

Also, stop imposing Microsoft Windows on your employees, they don’t deserve to be harassed. 😁

Most of the risks are gone, and you can safely configure the endpoint to avoid the other risks (your desktop user doesn’t need root nor to be able to write in any place where executable files can exist, for instance).

A band of merry people once wrote this on their web-site:

You may recognize this piece of history from p.ulh.as

Fund Free Software!

Hire support, training, and consulting services, don’t just take Free Software and use it to your advantage. You can, but you shouldn’t be so one-sided.

Pay for the development or expansion of features, don’t just complain that it does all you need except for a tiny bit it doesn’t. Don’t throw the baby with the water!

🙄 Be fair in your assessments of Free Software solutions. I constantly see the following scenarios:

  • «Free Software FU must do X, Y, and Z, pass the internal audit, have a long PoC, etc etc.»
  • «Proprietary software BAR has already been bought and paid, why are you complaining that it does less than we actually need?»

This. Isn’t. Fair. It’s foolish.

Warning: NGI is being killed

Finally, a big WARNING: the European Commission is silently killing the NGI (Next Generation Internet) program…

«Horizon Europe working draft detailing funding programmes for 2025, we notice that Next Generation Internet is not mentioned any more as part of Cluster 4.» — ActivityPods

«Elimination of most Next Generation Internet funding ‘incomprehensible,’ says OW2 CEO Pierre-Yves Gibello» — The Register

«L’Union Européenne doit poursuivre le financement des logiciels libres» — Framasoft

This is a big threat as NGI Zero Core

We want a more resilient, trustworthy and open internet. We want to empower end-users. Given the speed at which the ’twin transition’ is taking place, we need a greener internet and more sustainable services sooner rather than later. Neither will happen at global scale without protocol evolution, which — as the case of three decades of IPv6 introduction demonstrates — is extremely challenging. *NGI0 Core is designed to push beyond the status quo and create a virtuous cycle of innovation through free and open source software, libre hardware and open standards. If we want everyone to use and benefit from the internet to its full potential without holding back, the internet must be built on strong and transparent technologies that allow for permissionless innovation and are equally accessible to all NlNet

Spread the word, or all you’ll get is Crowdstrike Falcon botnet spyware on your computers.