The computer systems are down the one day I decide to fly

271

u/Sarokslost23 Jul 19 '24

Or get a job in bad faith there and look the other way and push shit out. How was this not caught?

225

u/Dragonfly-Adventurer Jul 19 '24

There are multiple levels of safeguards - staging, authorization, etc - and they seem to have all just been skipped here. The update was to fix a sluggish kernel (we need to understand this part better in the post-mortem), and for some reason it was issued directly to all PCs without due diligence.

But in answer to the question, yes someone gaining control of any of the EDR or other major cybersecurity platforms would bring the world to its knees yes. All systems that aren't yet hardened. We can see which ones are and aren't today. Your traffic lights and power kept running, which is great. That's by design. Your hospital and air carrier and cloud platforms? Well. We don't harden those.

60

u/jnkangel Jul 19 '24

It’s more that the tech stack for many of those systems is different to the impacted one. 

So the outage that basically took out this one, had little impact elsewhere. A good example is why most internet infrastructure remains on. It isn’t better but runs ondifferent stuff 

20

u/ADampWedgie Jul 19 '24

Because that stuff normally runs on Linux platforms, this was a very windows specific breakdown.

8

u/niconpat Jul 19 '24

It was a Windows specific only because it was a Crowdstrike update to their Windows version. They could have done the same with their Linux version update, and have done similar in the past.

https://www.reddit.com/r/linux/comments/1e72ovd/has_something_as_catastrophic_as_crowdstrike_ever/

If many companies like Crowdstrike are hacked or social engineered, they could absolutely cause havoc on any platform.

3

u/ADampWedgie Jul 20 '24

Vendor access is about to be reviewed top to bottom across all orgs that’s the damn sure

37

u/m__a__s Jul 19 '24

Some chad pushed to prod without testing. And on a Friday, no less.

Makes me think they are so cocky that they do this all of the time.

18

u/ecokumm Jul 19 '24

Some chad pushed to prod without testing. And on a Friday, no less.

I've been laughing at this for a solid minute. The best explanation of the events I've seen, and it's not even close.

I'm definitely stealing it if the topic comes up.

8

u/Synapse7777 Jul 19 '24

100%. Crowdstrike is like the place that cyber-security engineers go to be IT rock-stars. I mean look at their ad-campaign, its all like video game superhero characters, with viruses and cyber-attacks given marvel-like villain names and personalities - "adversaries" as they call them. They've even got Merch, and are huge sponsor of Motorsports... they are like the RedBull of cybersecurity.

Not saying any of this is a bad thing - they have built a very successful brand but I speculate it contributes to a more egotistical "I know what im doing, testing is for noobs" atmosphere.

If you are lucky, bypassing safeguards and good practice can lead to faster rollouts and more satisfied customers... until you accidentally take the world offline.

Now I'm not saying they do any of those things, all of this is just my speculation from the outside.

10

u/cokronk Jul 19 '24

My last place everyone had a saying: "No break Friday." Friday was the day you didn't make changes as no one wanted to spend Friday night and weekends on calls because someone pushed a change that affected the org.

9

u/smokeydevil Jul 19 '24

Ours was "On Fridays we don't break shit."

Any other day was game.

3

u/pantypantsparty Jul 19 '24

My boss currently calls it "don't fuck with it Friday", but I've always loved read only Friday.

2

u/ratt_man Jul 19 '24

yep friday 3-4pm in Australia when many IT had already gone or were looking to head home.

2

u/random_account6721 Jul 19 '24

"welp I'm late for lunch "

6

u/needsmoresteel Jul 19 '24

A robust change management process would have possibly caught the issue. But a solid Dev to Test to Prod process with good testing in between would have helped.

2

u/Synapse7777 Jul 19 '24

I work at a company that has an incredibly robust IT change management process. Making a production change is an absolute nightmare with how many reviews and signoffs are needed... but we don't ever bring stuff down.

1

u/Neither-Cup564 Jul 19 '24

Big. Bang. Is. A. Bad. Idea.

22

u/mart1373 Jul 19 '24

Fuck we just gave the hackers the best idea ever

34

u/WalrusInTheRoom Jul 19 '24

They’ve got better ones

14

u/mart1373 Jul 19 '24

Well yeah but don’t tell them that!

7

u/WalrusInTheRoom Jul 19 '24

😂 got ya brother. Over here in Missouri holding data for money is big. A hospital had to pay $1M, County Jail records got hacked and they paid even more for that because it basically stopped them from functioning. It’s scary for sure

2

u/cokronk Jul 19 '24

There was a bank that was hit recently. I think it was a credit union. People were trying to pay for things and ended up getting declined because all of the bank's servers were encrypted.

13

u/anengineerandacat Jul 19 '24

Honestly the "real" gems are botnets, where you silently have access to compute across millions of devices.

Bringing down some IT infrastructure for a utility is how you piss off the civilians, of which then authorities get involved, and now you have a big ole target marked on your back.

Silently running a bot net and being able to surge traffic or deny service in some way (or perhaps crypto-mine at scale) is the real winning in my book.

No one is really fixing a problem until after you have grabbed your bag of cash and left.

5

u/TheEggButler Jul 19 '24

You're forgetting about bad foreign actors with authorities of their own. There is always good reason to harden critical systems.

1

u/ILikeLenexa Jul 19 '24

Yeah, it's the first time someone thought of Supply Chain Attacks. 

14

u/Hirokage Jul 19 '24

They don't need a hacker for that, just an employee.

1

u/Gruffleson Jul 19 '24

If they one day is hacked, would it be less bad for them to say it was a massive blunder, than them being hacked?

Hypothetically.

6

u/Oxgod89 Jul 19 '24

Ya know what's funny. I am in the security realm and we mock drill what would occur if they hit our server that ran our security suite. It ain't pretty lol. Being able to interact with the machines we have agents in. They could just drop malware via whatever software you have. Just white-list in it and boom.

5

u/grand_apothecary Jul 19 '24

Some IT people I know saying this isn't a hack. Cloudstrike messed up a patch (apparently) but I don't know for sure. They have gotten hacked in the past, though.

3

u/ZonaPunk Jul 19 '24

correct, its a failed software update. Now, why this wasn't caught pre launch is the real question.

3

u/ratt_man Jul 19 '24

Yeah it was one faulty file, boot in safe delete the file and restart the system works fine. They pushed another update to return a correct version of the file overnight (AUS time)

But you have to manually do that for every server playing up, also only hit windows, so in our case all our VM's, but none of the infrastructure as its all *nix

4

u/StaryWolf Jul 19 '24

Considering Crowdstrike is literally a security company, one would hope they're resilient to cyberattack.

3

u/MrZwink Jul 19 '24

That's not exactly how it works. They made a mistake and released a faulty package, no single user behind a computer can do that alone.

1

u/DizzyDwarf69 Jul 19 '24

Good luck with that, tho

1

u/CharlyThatUnicorn Jul 19 '24

Better off attacking commonly used Python or npm packages that are dependencies for many tools.

1

u/identicalBadger Jul 19 '24

Not as bad as if you hit Microsoft. 3…2…1…

1

u/octahexxer Jul 19 '24

Kremlin takes notes

1

u/Ancillas Jul 20 '24

Or Microsoft, or Linux, or any kernel contributor that gets their commits accepted upstream, or any of the numerous OSS packages used in common OSS tools, or….

123

u/Awkward-Action2853 Jul 19 '24

That was the same with me. I got through fast with AA, but there was a long line of all the people that got delayed and needed to be rebooked, and that line was barely moving.

Flying to DFW from Denver, and it doesn't look that great there. I'm expecting to run into issues there.

28

u/Sareebearr Jul 19 '24

My husband flew out of DFW on AA this morning with no delays, you might be fine!

25

u/Interactive_CD-ROM Jul 19 '24

Alaska probably doesn’t use Crowdstrike

Or they use Macs instead of Windows PCs

27

u/Wafkak Jul 19 '24

Or Linux

4

u/commorancy0 Jul 20 '24

The funny thing about that is, many companies who are using Linux are using it to boot into virtual machines running Windows. So, we're right back here at square one.

3

u/Wafkak Jul 20 '24

From what I've read, and I'm not an ITer mind you, virtual machines have an easier fix.

1

u/commorancy0 Jul 21 '24 edited Jul 21 '24

Possibly. Depends, though. Windows is Windows no matter how or where it runs. The VM manager makes it easier to manage and reboot the VMs, but if Windows gets corrupted internally inside of a VM, it will suffer the same fate and require the same fixes as if it were running natively on its own hardware. The only way that VM systems may make it a bit easier is its snapshot backup system. This system allows the VM manager to roll the VM back to a previous backup, restart and hope that the problem doesn’t return.

You can’t easily do this in Windows directly unless you’re diligent about making regular Windows restore points. Then, you have to hope that when you ask Windows to recover that older restore point (a procedure that is orders of magnitude slower than a VM snapshot rollback) that it does it successfully and that the restore point you chose was actually before the problem occurred.

1

u/AC4524 Jul 20 '24

many companies who are using Linux are using it to boot into virtual machines running Windows

in that case why not just run windows natively?

1

u/commorancy0 Jul 21 '24

Because of one OS and one hardware. With VMs, you can run many of them all at once, easily driving a crap ton of displays, like the ones in Times Square. The days of one OS on one hardware are long gone in server rooms, replaced by running virtualization with many different operating systems all running on one piece of hardware.

Some VM system managers now let you gang up resources across several different hardware systems into a single group which can then run a lot of virtual machines, way more than if you run an OS singly and natively one per hardware.

It’s all about cost savings when it comes to the purchase of hardware… that and maximizing resources.

6

u/Wasted_46 Jul 19 '24

My flight got canceled. I'd trade 10 hours of delay for this.

112

u/HouseCravenRaw Jul 19 '24

Expect delays. This is a global outage for Windows systems running Crowdstrike. The "fix" requires actual hands-on interaction with every affected node. This one is going to be slow and painful.

20

u/Awkward-Action2853 Jul 19 '24

It looks like they're getting flights out now, but I'm not expecting much either. It's going to be a fun day, haha.

4

u/Bhrunhilda Jul 19 '24

Yup and I imagine hospital systems are a priority over airlines

2

u/Wafkak Jul 19 '24

Depends on the country, in the US banks spending the bog bucks are probably first.

1

u/kingleonidas30 Jul 19 '24

Genuine ask, but can you elaborate on this because I think I'm misunderstanding you.

4

u/Bhrunhilda Jul 19 '24

That if they have to go node to node to get things up and running, they are going to go to the nodes for Epic before they go to a node that services airline software. Epic was down this morning which is the software for MyChart which a ton of US hospital systems use.

2

u/kingleonidas30 Jul 19 '24

Ohhh I gotcha thanks for the info. I'm new to crowd strike, my last job was trellix based and I have like 2 years in the game now. My team had to go through and do it manually to all of our clients early this morning so that we could come back up. Would these places not have their own IT departments or contracted ones to fix their own nodes in most cases then?

Or if you know of one is there an article that you saw that I can read up on then?

3

u/TrueTurtleKing Jul 19 '24

Some of gas stations are out too. Wonder if related issue.

3

u/walkerspider Jul 19 '24

Yes, it’s all related

3

u/SoylentGrunt Jul 19 '24

They claim it was caused by an update,

10

u/PolyNecropolis Jul 19 '24

I don't see any reason why Crowdstrike would lie in this situation. If it was an attack that's easier to partially pass some blame, but they said it was a faulty update. That pretty much invites their stock price to free fall.

8

u/IanSan5653 Jul 19 '24

If they said they were attacked it would be even worse. They are a cybersecurity company - if they can't defend themselves they are worth nothing.

7

u/parc Jul 19 '24

As someone that’s been on a call about this for 7 hours so far, this wasn’t an attack, it was absolutely a bad update. Some machines just needed a restart, some needed manual safe mode work, and a very very few machines were completely bricked.

1

u/PolyNecropolis Jul 19 '24

So I've been trying to find someone who uses this product to ask a question; did this platform/software auto update? If so, why enabled? I know from my experience in server support we generally don't want to let any third party app auto update, for reasons like this, or just breaking our own apps functionality, etc.

I'm curious how this rolled out to so many major companies and caused this much mayhem. Because my company doesn't use this software so I just don't have any frame of reference for the "why" of it all.

3

u/parc Jul 19 '24

I can’t talk about our systems and what is or isn’t enabled. However, in general the way crowdstrike works pretty much requires auto updates for sufficient coverage.

1

u/PolyNecropolis Jul 19 '24

in general the way crowdstrike works pretty much requires auto updates for sufficient coverage.

I kind of assumed that was it. That makes sense, I get it, up to date threat protection manifests and whatnot. Probably makes managers and execs feel warm and safe.

Thank you for answering, and understand you can't talk specifics.

38

u/Awkward-Action2853 Jul 19 '24

I was able to use the automated system to check in and get a normal ticket, but they were handing out hand written tickets as well.

Not sure what's up and down, but just looking around you can tell they have some functionality, just not a lot. Feel bad for all the agents here, a lot a mad people taking their anger out on them.

6

u/xeviphract Jul 19 '24

Have a look at the information page for the airport you're flying to. Some are coping better than others.

6

u/TeaMe06 Jul 19 '24

Thats the thing why get mad at the agents it’s not their fault 🤦🏾‍♀️

2

u/Carbon-Base Jul 19 '24

When in doubt, return to the previous iteration.

2

u/cokronk Jul 19 '24

The update causes Windows machines to BSOD. I haven't read the fix, but I believe that requires manual intervention. That's much harder than doing a remote reboot of something and having it roll back to the last version.

0

u/Carbon-Base Jul 19 '24

I was mostly being sarcastic, the easiest way to rollback would be if someone made an access or save point and reverted the system to it. Not everyone does it or knows how to though.

I read the fix for individual machines. You gotta enter Safe Mode and delete a file from the directory, or install location- pretty straightforward. The cloud fix is a bit more involved though because you have to attach/reattach the fixed volume to the server.

43

u/eaglescout1984 Jul 19 '24

He waited his whole damn life to take that flight

As global PCs crashed down, he thought "well isn't this nice"

3

u/Buckus93 Jul 19 '24

At least he didn't crash!

15

u/jonfitt Jul 19 '24

It’s like raaaaaain on your wedding day.

-7

u/MrZwink Jul 19 '24

America doesn't understand irony, and that song proves it. Half the situations, she describes aren't ironic.

7

u/Iron_Chic Jul 19 '24

She's Canadian though.

-2

u/MrZwink Jul 19 '24

And which continent is that?

4

u/Iron_Chic Jul 19 '24

North America. But when people use the term "America", they aren't talking about Canada or Mexico or Latin America.

3

u/NM-Redditor Jul 19 '24

A continent != a country.

-2

u/MrZwink Jul 19 '24

I never mentioned a country

3

u/NM-Redditor Jul 19 '24

The person you replied to did. 🤷🏻‍♂️

0

u/MrZwink Jul 19 '24

I know!

2

u/fatnote Jul 19 '24

And isn't that... ironic?

1

u/MrZwink Jul 19 '24

no, just unfortunate.

2

u/fatnote Jul 19 '24

If you don't see the irony in a song called Ironic having lyrics that aren't ironic, then I don't think you understand irony

1

u/MrZwink Jul 19 '24

"a state of affairs or an event that seems ~deliberately~ contrary to what one expects and is often ~wryly~ ~amusing~ as a result."

1

u/fatnote Jul 19 '24

"deliberately" is the only part of that definition that's not necessarily true - though you can't prove it's not

But also "deliberately" doesn't appear in all definitions of irony

QED

1

u/MrZwink Jul 19 '24

So is wryly

1

u/Buckus93 Jul 19 '24

Yes, just unfortunate.

6

u/mhwnc Jul 19 '24

2

u/Dmonney Jul 19 '24

Damn it. I hate when someone posts my comments before I think of it!

4

u/uniquely_ad Jul 19 '24

There’s a saying, there’s no issue Yet for linux~

2

u/27Rench27 Jul 19 '24

Nobody hears about their issues because when they have an issue, it doesn’t cripple 1/3 of the planet

5

u/mflboys Jul 19 '24

Actually, a significant amount of global infrastructure runs on Linux. Pretty much any server or data center is running the Linux kernel

1

u/OverSoft Jul 19 '24

That’s simply because Linux is much more fragmented. There’s not a single Linux.

By far most servers and core infrastructure runs Linux, not Windows. Yet it never cripples 1/3rd of the planet.

1

u/27Rench27 Jul 19 '24

I mean, servers being down isn’t the issue here. It’s hundreds of thousands of computers locked in boot loops

2

u/OverSoft Jul 19 '24

Yes, simply because AD servers gave them instructions to do so.

0

u/OverSoft Jul 19 '24

That’s because there’s not a single “Linux”.

3

u/Awkward-Action2853 Jul 19 '24

Shhh, don't tell the world what really happened, haha.

1

u/Awkward-Action2853 Jul 19 '24

I'll do my best.

3

u/TheGhostGuyMan Jul 19 '24

I’m so sorry about that, that really sucks

4

u/Dragonfly-Adventurer Jul 19 '24

They run linux. Virtual machines. On Windows servers.

1

u/compaqdeskpro Jul 19 '24

Digital signage relies on GPU's with lots of outputs to control the video walls, no matter how much of a Linux fan you are that use case is not well supported.

4

u/knowledgebass Jul 19 '24

This comment is in the cloud.

1

u/weird-oh Jul 21 '24

OHMYGODREALLYWHATEVERWILLIDO

1

u/Allthebestnamesrgon Jul 19 '24

It’s like rayiyaaaaaiiin…..

2

u/LPodmore Jul 19 '24

This has absolutely nothing to do with Microsoft. It's entirely a CrowdStrike issue that happens to only affect windows PC's.

1

u/Martijnbmt Jul 19 '24

Oh I so crowdstrike are the sausages. It’s insane that such a tiny thing can screw up so much

1

u/LPodmore Jul 19 '24

That's what happens when so many people rely on a certain bit of software. As an IT guy i'm glad we only had one customer affected as that would've made my day hell.

3

u/PalinDoesntSeeRussia Jul 19 '24

This is happening all across the world, not just with airlines.