undefined | Better HN

0 pointspreciousoo1y ago0 comments

Someting I’ve been thinking about, esp since that crowdstrike debacle. Why do major distributors of infrastructure (msft in case of crowdstrike, DHS/TSA here) not require that vendors with privileged software access have passed some sort of software distribution/security audit? If FlyCASS had been required to undergo basic security testing, this (specific) issue would not exist

0 comments

woodruffw1y ago

They often do. The value of those kinds of blanket security audits is questionable, however.

(This is one of the reasons I'm generally pro-OSS for digital infrastructure: security quickly becomes a compliance game at the scale of government, meaning that it's more about diligently completing checklists and demonstrating that diligence than about critically evaluating a component's security. OSS doesn't make software secure, but it does make it easier for the interested public to catch things before they become crises.)

deepsun1y ago

Well, the value is ok, if considered seriously.

Also, any certificate bears a certificator company name. We can always say "company A was hacked despite having its security certified by company B". So that company B at least share some blame.

ethbr11y ago

In practice, most commercial attestations/certifications contain enough weasel language that the certifier isn't responsible for anything missed (i.e. reasonable effort only).

But yes, there are many standards for this (e.g. SOC Type 2 reports).

In defense of their utility, the good ones tend to focus on (a) whether a control/policy for a sensitive operation exists at all in the product/company & (b) whether those controls implemented are effectively adhered to during an audited period.

3 more replies

doctorpangloss1y ago

> The value of those kinds of blanket security audits is questionable,

You're totally right. Why are people afraid to say that they're worthless? Why caveat or equivocate?

Adversaries in computer security do not mince words.

pinkmuffinere1y ago

“Worthless” is quite a strong claim. There isn’t much work I’ve encountered that’s truly “worthless”, even though bad work can make me quite upset. Anyways, that’s why I would often caveat.

2 more replies

woodruffw1y ago

I’d rather understate a medium-confidence opinion than overstate it.

irundebian1y ago

Because it's better than nothing when independent organizations are reviewing systems or other organizations. It's like saying that penetration tests are useless because you cannot prove security with testing.

kva-gad-fly1y ago

Even if these govt. security audits are checkboxes, dont they require some nominal pentesting and black box testing, which test for things like SQL injection?

That shoudl have caught these types of exposures?

lvturner1y ago

It may not apply to this specific incident, but pen-testing only ensures you meet a minimum standard at a specific point in time.

I almost feel I could write novels (if only I had time and could adequately structure my thoughts!) on this and adjacent topics but the simple fact is that the SDLC in a lot of enterprises/organizations is fundamentally broken, unfortunately a huge portion of what breaks it tends to occur long before a developer even starts bashing out some code.

vips7L1y ago

In the case of msft/crowdstrike isn't this exactly the opposite of what HN rallies against? The users installed crowdstrike on their own machines. Why should microsoft be the arbiter of what a user can do to their own system?

advael1y ago

They automatically occupy that position because in practice no user of a microsoft system can audit the entire "supply chain" of that system, unlike one built from open-source components. Any "control" someone has over "their own" system is ultimately incomplete when there is a company that owns and controls the operating system itself and has the sole power to both fix and inspect it

Dalewyn1y ago

>no user of a microsoft system can audit the entire "supply chain" of that system,

Yes you can, you can access the source code to audit it.

https://en.wikipedia.org/wiki/Shared_Source_Initiative

preciousooOP1y ago

Microsoft determines who they give root access signing keys to

snarfy1y ago

Because the EU required them to.

1 more reply

bronco210161y ago

Money. Eventually the lobbyists would make it so cumbersome to get the certification that only the defense industry darlings would be able to do anything. Look at Boeing Starliner for an example of how they run a “budget”.

sandworm1011y ago

They do. But market forces have pushed the standards down. Once upon a time a "pen test team" was a bunch of security ninjas that showed up at your office and did magic things to point out security flaws you didn't know were even a thing. Now it is a online service done remotely by a machine running a script looking for known issues.

b1121y ago

"I made my fortune with nmap, you can too."

ethbr11y ago

Great, now my YouTube recommendations are also on HN...

advael1y ago

Unfortunately we're in kind of the worst of all possible worlds here too. Not only do we want to "automate" these kinds of tests, but governments have bought into the "security through obscurity" arguments of tech giants, so the degree to which these automations can even be meaningfully improved is gated in practice by whoever owns the tech itself approving of some auditor (whether automated or human) even looking at it. The author of this article takes the serious risk of retaliation by even looking into this

niklasrde1y ago

Part of the reason why Crowdstrike have access, why MS wasn't allowed to shut them out with Vista was a regulatory decision, one where they argued that somebody needs to do the job of keeping Windows secure in a way that biased Microsoft can't.

So, I guess you could have some sort of escrow third party that isn't Crowdstrike or MS to do this "audit"?

Or see this for a much better write up: https://stratechery.com/2024/crashes-and-competition/

not2b1y ago

MS could have provided security hooks similar to BPF in Linux, and similar mechanisms with Apple, rather than having Crowdstrike run arbitrary buggy code at the highest privilege level.

IcyWindows1y ago

Crowdstrike configured Windows to not start if their driver could not run successfully.

That's not the default option for kernel drivers on Windows, so this was an explicit choice on Crowdstrike's part.

cratermoon1y ago

They could have, however the timeline the regulators gave Microsoft to comply was incompatible with the amount of work required to build such system. With a legal deadline hanging over their heads Microsoft chose to hand over the keys to their existing tools.

2 more replies

tedunangst1y ago

Crowdstrike could have included a BPF interpreter in their driver and used it for all the dangerous logic.

preciousooOP1y ago

Replied in another comment, but I’m aware of the regulation that made msft give access. To my knowledge though, there’s nothing in the regulation that stops them from saying “you have to pass xyz (reasonable) tests before we allow you to distribute kernel level software to millions of people”

immibis1y ago

So, all companies must gatekeep like Apple? By law?

astura1y ago

I've delivered software to the US government. My software has always been required to undergo security auditing.

cratermoon1y ago

Oh they usually do require some kind of proof of security certification. However the checkbox audits to get those certs and the kinds of solutions employed to allow them to check off the boxes are the real problem.

edm0nd1y ago

I do believe that is the point of having things like FedRAMP and StateRAMP.

Your company must meet said requirements to become a vendor for certain agencies or even be able to submit an RFP for governmental agencies.

indymike1y ago

Sigh. The company is a different problem than the product. Sally in accounting who has pii on her desk is a totally different problem than that the team that wrote insecure code 15 years ago.

paulddraper1y ago

Of course they require that.

Now, why wasn't the requirement enforced? Or why didn't the audit turn this up? Good questions.

But all of those are going to have some kind of requirement, e.g. FedRAMP.

preciousooOP1y ago

Good to know, didn’t know this program existed, but makes a lot of sense that it does. Why it wasn’t enforced is an incredibly huge question now

j / k navigate · click thread line to collapse

0 comments

woodruffw1y ago

They often do. The value of those kinds of blanket security audits is questionable, however.

deepsun1y ago

Well, the value is ok, if considered seriously.

Also, any certificate bears a certificator company name. We can always say "company A was hacked despite having its security certified by company B". So that company B at least share some blame.

ethbr11y ago

In practice, most commercial attestations/certifications contain enough weasel language that the certifier isn't responsible for anything missed (i.e. reasonable effort only).

But yes, there are many standards for this (e.g. SOC Type 2 reports).

3 more replies

doctorpangloss1y ago

> The value of those kinds of blanket security audits is questionable,

You're totally right. Why are people afraid to say that they're worthless? Why caveat or equivocate?

Adversaries in computer security do not mince words.

pinkmuffinere1y ago

2 more replies

woodruffw1y ago

I’d rather understate a medium-confidence opinion than overstate it.

irundebian1y ago

kva-gad-fly1y ago

Even if these govt. security audits are checkboxes, dont they require some nominal pentesting and black box testing, which test for things like SQL injection?

That shoudl have caught these types of exposures?

lvturner1y ago

It may not apply to this specific incident, but pen-testing only ensures you meet a minimum standard at a specific point in time.

vips7L1y ago

advael1y ago

Dalewyn1y ago

>no user of a microsoft system can audit the entire "supply chain" of that system,

Yes you can, you can access the source code to audit it.

https://en.wikipedia.org/wiki/Shared_Source_Initiative

preciousooOP1y ago

Microsoft determines who they give root access signing keys to

snarfy1y ago

Because the EU required them to.

1 more reply

bronco210161y ago

sandworm1011y ago

b1121y ago

"I made my fortune with nmap, you can too."

ethbr11y ago

Great, now my YouTube recommendations are also on HN...

advael1y ago

niklasrde1y ago

So, I guess you could have some sort of escrow third party that isn't Crowdstrike or MS to do this "audit"?

Or see this for a much better write up: https://stratechery.com/2024/crashes-and-competition/

not2b1y ago

MS could have provided security hooks similar to BPF in Linux, and similar mechanisms with Apple, rather than having Crowdstrike run arbitrary buggy code at the highest privilege level.

IcyWindows1y ago

Crowdstrike configured Windows to not start if their driver could not run successfully.

That's not the default option for kernel drivers on Windows, so this was an explicit choice on Crowdstrike's part.

cratermoon1y ago

2 more replies

tedunangst1y ago

Crowdstrike could have included a BPF interpreter in their driver and used it for all the dangerous logic.

preciousooOP1y ago

immibis1y ago

So, all companies must gatekeep like Apple? By law?

astura1y ago

I've delivered software to the US government. My software has always been required to undergo security auditing.

cratermoon1y ago

edm0nd1y ago

I do believe that is the point of having things like FedRAMP and StateRAMP.

Your company must meet said requirements to become a vendor for certain agencies or even be able to submit an RFP for governmental agencies.

indymike1y ago

Sigh. The company is a different problem than the product. Sally in accounting who has pii on her desk is a totally different problem than that the team that wrote insecure code 15 years ago.

paulddraper1y ago

Of course they require that.

Now, why wasn't the requirement enforced? Or why didn't the audit turn this up? Good questions.

But all of those are going to have some kind of requirement, e.g. FedRAMP.

preciousooOP1y ago

Good to know, didn’t know this program existed, but makes a lot of sense that it does. Why it wasn’t enforced is an incredibly huge question now

j / k navigate · click thread line to collapse