Show newer

Who had the "failure of a CrowdStrike update" (or something like) in their threat model? And if you did, was it categorized as low likelihood and high impact? How many other things do we categorized that way? It might be time to take another look at those items we consider "low likelihood." And if the impact is high or critical, maybe dig a little deeper. Are you ready?

#infosec
#cybersecurity
#threatmodel
#risk
#CrowdStrike

AAARRRGGGHHHHHHHHHH!!!!!!!!

Channel 4 News, in talking about today's #Microsoft #CrowdStrike fuckup, stated that Y2K was imaginary.

No! No! NO!

We did a massive amount of work to update and ensure systems would keep on working. And more importantly WE TESTED EVERYTHING FULLY BEFORE GOING LIVE.

Context- someone on the birdside are blaming #crowdstrike on DEI hiring

Here’s the thing folks. I’ve been coding 32 years. When something like this happens it’s an organizational failure. Yes, some human wrote a bad line. Someone can “git blame” and point to a human and it’s awful. But it’s the testing, the Cl/CD, the A/B testing, the metered rollouts, an oh shit button to roll it back, the code coverage, the static analysis tools, the code reviews, the organizational health, and on and on 1/3

A lot of people think I'm being sarcastic here, which is fair because I only went toe-to-toe against people on Twitter and didn't do much here, so I'll state my full opinion below anyhow:

I would agree with anyone about not wanting to replace C (or C++). But, C has been alive for 50 years (or just 35 from C89) and Rust has been alive for just barely under 10 (since Rust 1.0). Even if you measure the last 10 years of Rust versus the last 10 years of C or C++, one of these languages is making leaps and bounds ahead in providing people better primitives to do good work.

SafeInt secured pretty much all of Microsoft Office from some of the hardest bugs back in, around, 2005. C++ still lacks safe integer primitives; C only just got 3 functions to do overflow-checked math in C23, after David Svoboda campaigned for years. Rust just... has them baked into the standard library, for all the types you care about, too.

Similarly, people have been having memory issues in C and C++ for a while too. Most of the way to get better has been clamping down on static analysis and doing more testing, but we're still getting these errors. Meanwhile, teams writing Rust have been making way less errors on this in all the openly-published data from corporations like Google, and privately we are hearing a lot more about people taking complex financial and parsing code and turning it into Rust and having a fraction of the issues.

Even if I want to see C doing better, I have to acknowledge we were (a) too slow and not brave enough to do the things that could fix these portions of the language; (b) have fundamental design issues in the language itself that make ownership impossible to integrate as part of the language without breaking a ton of code; (c) do not provide good in-language tools and keep depending on vendors to "do the right thing" (i.e. adding or expanding U.B. and then just saying "vendors will check it" rather than taking responsibility with our language design); (d) are moving monumentally too slow to address the needs of the industry that many people -- especially security people -- have been yelling about since the mid 90s.

As much as I just want to pretend that I can write off every developer with "haha lole skill issue test better sanitize better IDIOT", if the root cause on this bug is "there was some C and/or C++ code that looked nominally correct but did batshit insanity in production", we absolutely will have problems to answer for. This doesn't absolve CrowdStrike for cutting 100s of workers and playing fast and loose, this doesn't excuse the fact that hospitals went down and people likely dead from lack of access to care, this doesn't change that it's abhorrent to have unmitigated hardware access in Ring0 just for a "security product", which has been the trend of every app wanting to plug in its own RootKit-like tool just for the sake of "app security" lately (League, NProtect, School Exam Spyware, etc.). There's a LOT of levels of "what the fuck have we let happen?" in play here, but I don't control those other levels.

I'm responsible for C, so I'm gonna look at the C bit. Other people responsible for the other parts of this stack should, hopefully, take sincere responsibility for those parts. (I doubt it, though, lmao.)

Concerning CrowdStrike:

We are now at t+26h. Please compare how much we knew about the xz-attack after less than a day with what we know about the chain of events of giant outage yesterday.

If something similar had been caused by an OSS component, we would see congress discussing a ban on open software in critical infrastructure already.

“We live in capitalism. Its power seems inescapable. So did the divine right of kings. Any human power can be resisted and changed by human beings. Resistance and change often begin in art. Very often in our art, the art of words.” Ursula le Guin was always ahead of the curve.
#leGuin

Any sufficiently bad software update is indistinguishable from a cyberattack…

I've been doing a little reading on Gladys West. If you aren't sure who that is:

Gladys Mae West is an American mathematician known for her contributions to the mathematical modeling of the shape of the Earth, and her work on the development of the satellite geodesy models that were eventually incorporated into the Global Positioning System (GPS).

She's uhhh...kind of a big deal. Anyway, this little tidbit I read was fascinating to me, because it tells you how important accessibility is:

Before being hired, West initially turned down the job due to its location and the requirement to interview. West did not have a car and could not find Dahlgren on a map, and she believed that they would reject her after the interview because of her race.

uspol, Biden 

P.S. Every once in a while, someone will point out that Trump has explicitly promised to deport roughly the same number of people who migrated during the 1947 Partition of India¹, an event that, um, did not go smoothly. The cool kids will point and jeer: “Nerd!” they will say, and banish them to a different cafeteria lunch table. (1/3)

Show thread

Meanwhile, NYT is running with strongman stuff and how fortunate Trump is. It’s not subtle.

The RNC has been the most racist/hate-filled convention of my lifetime and I watched quite a few in history class from before I was born. Most of the media are fawning over this horror show, and don’t even realize they are the “them” these maniacs are speaking of with their signs and slogans or think they’ll be safe from the regime.

1/2

I wrote my senators and representative in congress to ask them the block the Pro Codes Act. We should not have to pay money to be able to read the laws that govern our lives.

act.eff.org/action/tell-congre

But it just doesn't make any sense they said; it's a useless old relic they said; you should simply switch to our centrally-managed solution fully protected by CrowdStrike they said

quick question what part organizing the world’s information and make it universally accessible and useful is this

developers.googleblog.com/en/g

I like to think that every time someone sees a lone masker (me obviously) on the ferry, it's a little tiny deposit in their "masking is ok actually" savings account, ready for a future withdrawal. After all, "masks when sick" is a big win compared to "never masks."

I’m a cis white male American Sign Language interpreter. I go into a lot of places and am nearly always welcomed and treated well. Mostly, I think it’s because of my work, but I’m aware my race and gender play a part too. That said, there are few places I feel my privilege more keenly than in courthouses. More than half the time, I’m waved past the metal detectors. I can walk past the bar in courtrooms without being stopped by bailiffs. When court staff learn who I am, I’m often greeted with friendliness, even deference sometimes, as there aren’t many people who do what I do.

When I see how others who don’t look or dress like me are treated while in the same spaces, I’m forcefully reminded that there are still two Americas. There is still so much work to do in the US, and I’m committed to that work.

In terms of equality and personal freedoms, this November is going to be the most critical and consequential election I’ve ever witnessed in my (not so short) lifetime. Please, please, please vote for democracy and against totalitarianism - because that’s what this vote will be. I’m more convinced of that than ever.

At rehearsal this morning, Dr. Rogers asked us to memorize one section. A latte and scone will help with that.

(I’m at a week-long chorus workshop in Denver.)

@futurebird @stevegis_ssg I honestly like that aspect of alt text.

I have to tell people what I wanted them to see.

What's the point of including that graph?

It really helps people understand. I like that a lot.

It's really not limited to sight impairments.

Show older
Qoto Mastodon

QOTO: Question Others to Teach Ourselves
An inclusive, Academic Freedom, instance
All cultures welcome.
Hate speech and harassment strictly forbidden.