fsebugoutzone.org:9999

       Post Ak5aWIRmWRfBN0OCg4 by shortridge@hachyderm.io
 (DIR) More posts by shortridge@hachyderm.io
 (DIR) Post #Ak5aWCD1iOIO1VRKqW by shortridge@hachyderm.io
       2024-07-19T11:55:17Z
       
       1 likes, 1 repeats
       
       and this is why we need to stop absolving *commercial* cybersecurity vendors of software quality concerns.there should be multiple checks preventing this type of broken content in an update. how did they allow it to ship to so many machines all at once?#crowdstrike
       
 (DIR) Post #Ak5aWDQBCyPXmabLzE by sullybiker@sully.site
       2024-07-19T13:02:06Z
       
       0 likes, 0 repeats
       
       @shortridge Their updater does it all, it pulls changes automatically outside of the OS methods. They broke it and fixed the update very quickly, but alas the damage was done on many machines as it is such a low level tool
       
 (DIR) Post #Ak5aWFYPHMBEOgSx5U by shortridge@hachyderm.io
       2024-07-19T11:57:52Z
       
       0 likes, 0 repeats
       
       this is why I’ve side eyed any federal document about software #security, quality, or #resilience that demonizes open source software while touting the virtues of commercial cybersecurity productsas if those products aren’t notorious for deep access + flimsy quality…I’ve written about this concern in two separate RFIs to CISA et al (with co-conspirator @rpetrich)1) on OSS security https://kellyshortridge.com/blog/posts/rfi-open-source-security-response/2) on secure by design https://kellyshortridge.com/blog/posts/rfi-secure-by-design-response/ #crowdstrike
       
 (DIR) Post #Ak5aWIRmWRfBN0OCg4 by shortridge@hachyderm.io
       2024-07-19T11:59:20Z
       
       0 likes, 0 repeats
       
       ^ In our RFIs, we note that commercial security software is often a boon for attackers given its deep access + poor qualityindeed, much of it resembles malware in functionality. in the #Crowdstrike case now, it’s poorly written malware. “Skidiot” shit, as a friend would say…For all the ballyhooing about open source, why don’t we take the security of commercial security software more seriously?
       
 (DIR) Post #Ak5aWLZKuoUN3IwmMy by shortridge@hachyderm.io
       2024-07-19T12:00:57Z
       
       0 likes, 0 repeats
       
       so, how do we plan to zero trust the zero trust software?and do we call this a cybersecurity attack? it is an attack by the cybersecurity industry on our nation’s infrastructure, after all… #Crowdstrike
       
 (DIR) Post #Ak5abIXraKiz7dcRCC by sullybiker@sully.site
       2024-07-19T13:03:03Z
       
       0 likes, 0 repeats
       
       @shortridge I have to say I did not know they were so widespread
       
 (DIR) Post #Ak5digX36IJzPDS5YW by strypey@mastodon.nzoss.nz
       2024-07-19T13:37:50Z
       
       0 likes, 0 repeats
       
       @shortridge &gt; this is why I’ve side eyed any federal document about software security, quality, or resilience that demonizes open source software while touting the virtues of commercial cybersecurity productsDamn right. Doing this is either impressively incompetent, or is driven by perverse incentives. It does makes sense if they work for people who benefit, whenever folk outside their organisation install the less secure software or configure their software to have more holes.@rpetrich
       
 (DIR) Post #Ak5jGmj54qEeEV9wDA by clacke@libranet.de
       2024-07-19T13:07:24Z
       
       0 likes, 0 repeats
       
       @sullybiker @shortridge Ironically enough, if they survive this, it might be a huge PR win for them.