Skip Navigation
InitialsDiceBear„Initials” ( by „DiceBear”, licensed under „CC0 1.0” (
Posts 0
Comments 156
CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft
  • Yeah we do a lot around frameworks at my current place, and previously we worked directly with customers with iso and acsc essential 8 frameworks. For us, non-compliance = revenue opportunity. That means we are financially rewarded for aligning them and encouraged to do so. On that same note I wrote up a checklist for "sysadmin best practices" aimed for driving reviews and checks and Remedial opportunities for small businesses, useful in that space. I got such an overwhelming amount of response in the msp reddit from people asking in DMs about it (not hundreds, just dozens, too many for me though). It's quiet here in lemmy. Happy to share my updated version of course, just I think if you're dealing in your sector it'll look like childs play lol. But I kind of want to encourage a bit of community within professionals here. I just don't want do spend time on it..

    I feel you about the lowly experienced officer bit though. An account manager or business development manager, or even CTO won't listen to me. I have a business degree, most of them don't. I try to apply critical decision making in my solutions and risk advisory. But the words fall on deaf ears. I take a small but very guilty pleasure watching the very thing I warn against, happening both to clients and my employers. Especially when the prevention was trivial but all it needed was any amount of attention.

    After nearly 20 years of IT and about 15 in MSP I'm so tired. I'm very much resonating with that "lowly engineer" comment.

  • CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft
  • Hmm, yeah. Thanks for sharing. Because of 15 odd years of IT Managed Services, I only have non-technical companies on the brain and in my world view I hadn't considered technology provider companies at all. They typically don't need managed service providers (right or wrong :p).

  • CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft
  • It's impossible to tell and you're probably more close to the truth than not.

    One fact alone, bcdr isn't an IT responsibility. Business continuity should be inclusive of things like: when your CNC machine no longer has power, what do you do? Cause 1: power loss. Process: Get the diesel generator backup running following that SOP. Cause 2:broken. Process: Get the mechanic over, or get the warranty action item list. Rely on the SLA for maintenance. Cause 3: network connectivity. Process: use USB following SOP.

    I've been a part of a half dozen or more of these over time, which is not that many for over 200 companies I've supported.

    I've even done simulations, round table "Dungeons and dragons" style with a person running the simulation. Where different people have to follow the responsibilities in their documented process. Be it calling clients and customers and vendors, or alerting their insurance, or positing to social media, all the way through to the warehouse manager using a Biro, ruler, and creating stock incoming and outgoing by hand until systems are operational again.

    So I only mention this because you talk about IT redundancy, but business continuity is not an IT responsibility, although it has a role. It's a business responsibility.

    Further kind of proving your point since anyone who's worked a decade without being part of a simulation or contribute to their improvement at least, probably proves they've worked at companies who don't do them. Which isn't their fault but it's an indicator of how fragile business is and how little they are accountable for it.

  • CrowdStrike’s faulty update crashed 8.5 million Windows devices, says Microsoft
  • That's how supply chains work. A link in the chain is broken, the whole thing doesn't work. Also 10% of major companies being affected, is still giant. But you're here using online services, probably still buying bread probably got fuel, probably playing video games. It's huge in the media, and it saw massive affects but there's heaps of things that just weren't even touched that information spread on. Like TV news networks seemingly kept going enough to report on it non stop unaffected. Tbh though any good continuity and disaster recovery plan should handle this with impact but continuity.

  • What is the worst IT setup you have seen at a company?
  • A software shouldn't use passwords for tls, just like before you use submit your bank password your network connection to the site has been validated and encrypted by the public key your client is using to talk to the bank server, and the bank private key to decrypt it.

    The rest of the hygiene is still up for grabs for sure, IT security is built on layers. Even if one is broken it shouldn't lead to a failure overall. If it does, go add more layers.

    To answer about something like a WiFi pineapple: those man in the middle attacks are thwarted by TLS. The moment an invalid certificate is offered, since the man in the middle should and can not know the private key (something that isn't used as whimsically as a password, and is validated by a trusted root authority).

    If an attacker has a private key, your systems already have failed. You should immediately revoke it. You publish your revokation. Invalidating it. But even that would be egregious. You've already let someone into the vault, they already have the crown jewels. The POS system doesn't even need to be accessed.

    So no matter what, the WiFi is irrelevant in a setup.

    Being suspicious because of it though, I could understand. It's not a smoking gun, but you'd maybe look deeper out if suspicion.

    Note I'm not security operations, I'm solutions and systems administrations. A Sec Ops would probably agree more with you than I do.

    I consider things from a Swiss cheese model, and rely on 4+ layers of protection against most understood threat vendors. A failure of any one is minor non-compliance in my mind, a deep priority 3. Into the queue, but there's no rush. And given a public WiFi is basically the same as a compromised WiFi, or a 5g carrier network, a POS solution should be built with strengths to handle that by default. And then security layered on top (mfa, conditional access policies, PKI/TLS, Mdm, endpoint health policies, TPM and validation++++)

  • What is the worst IT setup you have seen at a company?
  • Transport layer security should mean this shouldn't matter. A good POS shouldn't rely on a secure network, the security should already be built in cyptographically at the network session layer. Anything else would still have the same risk vector, just a lower chance of happening.

    In fact many POS systems happily just take a 4g/5g sim card because it doesn't matter what network they're on.

  • No PS3 backwards compatibility
  • I knew a Datacenter that had hundreds of ps3s for rendering fluid simulation and other such things that at the time were absolutely cutting edge tech. I believe F1 and some early 3d pixar stuff was rendered on those farms. But like all things, technology marched on. fpgpas and cuda have taken that space.

    Cell definitely was heavily used by specialist/nichr industry though.

    I wonder if I can find you some link to explain it better than the rumours I heard from staff that used to work in those datacentres.

    Hmm hard to find commercial applications, probably individuals might have blogged otherwise here's what I'm talking about:

  • Today I'm grateful I'm using Linux - Global IT issues caused by Crowdstrike update causes BSOD on Windows
  • Hate to break it to you, but most IT Managers don't care about crowdstrike: they're forced to choose some kind of EDR to complete audits. But yes things like crowdstrike, huntress, sentinelone, even Microsoft Defender all run on Linux too.

  • NVIDIA Transitions Fully Towards Open-Source GPU Kernel Modules. Keep in mind that the drivers are still proprietary.
  • Well, what I really wonder is if because the kernel can include it, if this will make an install more agnostic. Like literally pull my disk out of a gaming nvidia machine, and plug it into my AMD machine with full working graphics. If so this is good for me since I use a usb-c nvme ssd for my os to boot from on my work and home machines and laptops for when I'm not worrying. All three currently have nvidia cards and this works ok. I have some games to chill and take a break. My works core OS for work MDM etc unmodified. I like it that way.

    I realise this is not a terribly useful case, but I could see it for graphically optimised VM migrations too not that I have many. Less work in transitioning gives greater flexibility.

  • Yellow Flag: "Privacy on the web is fundamentally broken, for at least 90% of the population. Advertising on the web is fundamentally broken, for at least 90% of the population…" - Infosec Exchange
  • Fundamentally what the alternative is, is to propose that you remain the sole owner of your privacy at the cost of sharing with advertisers that you have, say, 6 generic topics you're interested in. Like motorsports. It, with the millions or billions of others looking. The ad tracking currently knows everything about everyone and then works out if motorsports is an effective ad for you individually based on their profile of you.

    For me, I'm fine with the current system. For my family though, they're just using phones and tablets with their default browser, blissfully unaware that there's no privacy. Then their data gets leaked out.

    I know it's an extreme kind of case, but domestic abuse victims are always my thought when you think of a counter to "well I've got nothing to hide". Those people if they're unsure about privacy, will err on the side of caution. They stay trapped.

    In conclusion, I'd rather move the needle forward for those who are at risk. Those who installing anti-tracking plugins would put at further risk. Where installing odd browsers make them a target. We can find perfection later. Make the Web safer now.

    Plenty of people could justifiably take the opposite stance. But even just for my grandparents, they shouldn't be tracked the way they are. They're prime candidates for scams, and giving away privacy is one data leak away from a successful scam.

    Kind of off topic to what you said I realise. :)

  • please
  • Ah you're thinking I'm reading your other comments to other people.

    BTW HIPAA is for providers for their patients information handling. Once it's in the person's hands, it's no longer under HIPPA and it no longer applies. If you decide to put your private medical information on a commercial advertisement board on a highway, and it's not breaking laws to do with acceptable adcertisement (eg gore or smut) you'll be able to do that to.

    Basically theres no expectation for a individual person to adhere to HIPPA for their own personal information storage and it doesn't apply.

    My assumption with your lawyer comment, is this was a insurance or otherwise medical malpractice lawyer who might collect this information for their client cases, since without having client/patient requirements, HIPPA is irrelevant.

  • please
  • The moment a lawyer saves their medical records in a way that unintentionally and without their consent uploads them to OneDrive, they have a pretty solid case to charge Microsoft for a HIPAA violation

    Are we talking about the same comment?

  • please
  • You should be, if you're in a work computer with privileged documents, controlling it with an appropriate level of care. No matter Linux or Windows. If you're using home and defaults, you've failed no matter what.

  • please

    Totally feasible to use onedrive.

    However I've got no sympathy for even a small business to use IT without someone configuring their system in a way that controls this. A lawyer of all people know that knowledge is worth something.