It’s not as if Microsoft leaves them a whole lot of choice. Since Windows NT 3.1, Windows has only ever supported two of the four Intel rings of execution — Ring 0 (kernel mode) and Ring 3 (user mode). If drivers had the option of running in Ring 1 they could potentially be isolated when they misbehave without risking corrupting kernel structures — but that option doesn’t exist. The only place where CrowdStrike Falcon Sensor can functionally run on Windows is in Ring 0. That’s a Windows architecture flaw IMO.

AFAIK there are no sufficient APIs to allow Ring 3 processes in Windows to monitor kernel events.

In contrast, on macOS CrowdStrike Falcon Sensor runs as a System Extension entirely in user space (Ring 3 on Intel; I’m not sure if Apple Silicon uses the same notation). It used to be a kext (kernel extension) that ran in Ring 0/kernel mode, but after Apple introduced Endpoint Security Framework (and limitations to running/installing kexts on Apple Silicon) CrowdStrike redeveloped Falcon Sensor to use these new facilities to run completely in Ring 3. Had this flaw hit macOS, the OS simply would have isolated the misbehaving Falcon Sensor without crashing the system.

So I’d say it’s less that CrowdStrike “insisted” on “god level” privs on Windows than it is that they don’t have any choice. Where they do have choice (macOS) they run in plain old user mode — and by all accounts, continue to function just as well as they ever did running in kernel mode.

Yaz

I’ll admit I’ve never done development with fanotify, so I’m open to being corrected here.

From what I understand of fanotify, it’s well suited for something like a virus scanner — but what CrowdStrike Falcon Sensor does is much more than file-level scanning. It’s also doing in-memory checks, and looks for patterns of events that may indicate malicious activity.

Indeed, the P-code file that killed Windows instances the other week was intended to check for certain types of improper use of Windows named pipes (one of the reasons why the flaw didn’t affect any other platforms was that only Windows was vulnerable to the type of attack being monitored, and thus macOS and Linux didn’t require that specific p-code). From what I understand of fanotify, it wouldn’t have been useful in this situation.

Yaz

FWIW, in this case the external file contains P-code which then gets to run in kernel context.

No, there is sufficient reason to also blame Microsoft. Tools like CrowdStrike must run in Kernal mode in part because Microsoft doesn’t really give them a lot of other options. Back when NT 3.1 was being developed, Microsoft made the decision to only support Ring 0 and Ring 3 (Kernal mode/user mode respectively) for performance reasons — switching between rings can take 150+ clock cycles, and can be slow. But the Intel CPU supports four Rings of execution, with Ring 1 intended for device drivers.

Modern Windows works in this way to this day. Had Microsoft been more focussed on safety and less on raw performance, drivers could run in Ring 1 and could be isolated from the kernel. A Ring 1 CrowdStrike Falcon Sensor driver could, in theory, be isolated from the system when it misbehaved, allowing the system to remain online. But Microsoft being Microsoft, they chased performance over safety — so we have a situation where an errant driver like the Falcon sensor can bring the whole system down.

If you want to see a system that does it right, look at how Falcon Sensor runs on macOS. There the Falcon Sensor is written as a modern System Extension, and leverages DriverKit Endpoint Security extensions — where it has all the access it needs to system events, but runs completely in user mode. Should CrowdStrike on macOS run into a similar problem, the system can just isolate it and shut it down without crashing the entire system like Windows.

What the FSF is failing to say here is that Linux has the same basic flaws that Windows has when it comes to misbehaving drivers. Linux also only supports Ring 0/Ring 3, and doesn’t provide a way for something like the Falcon Sensor to run in user mode ala macOS. Indeed, certain Linux distros with certain kernel revisions have already had kernel panics due to CrowdStrike earlier this year.

You can’t wait a week for your security software to be updated when there are actors online active exploiting zero-day vulnerabilities. CrowdStrike absolutely screwed the pooch on this one. But both Microsoft and Linux still assume we live in the device driver works of the 1990s, where you release a driver and maybe just do a few bug fixes every few months, and which eventually becomes stable enough not to change. In the 202X online world we need both security software that is constantly updated and appropriate driver protection guarantees to simply disable misbehaving divers like this one. Unfortunately, the only major OS doing any work in this area seems to be Apple — Linux could learn something from them in this regard. Maybe instead of claiming that being able to choose from multiple OS vendors using the same kernel is the solution the FSF could instead work with the Linux Kernel maintainers to look at mechanisms to isolate drivers, so when they misbehave they don’t take down the entire system with them.

Yaz

For the record, I wasn’t locked out of using any of my systems - only from using any of Apple’s online services. My Mac, iPad, and iPhone continued to work just fine and continued to allow me to run whatever applications I wanted.

Given that, you could apply your silly statement to every online service in the world, including here on /.

Yaz

It hit me right in the middle of a FaceTime call. Lost the call, was logged out of everything, and was then required to change my password. Wound up getting locked out, and had to use my wife’s iPhone to get an account unlock code from Apple. Changed password, and then had to go through all my devices to update the password to get back in.

Didn’t take up as lot of time, but really wasn’t something I wanted to have to deal with when it happened. But both my wife’s and my daughters Apple accounts were unaffected.

Yaz

Running the health systems is completely the purview of the Provinces. The major requirements of the Canada Health Act are mostly in terms of what services are offered (so that we don’t have a nationally fractured system where basic procedures aren’t universal).

Other than that, there is the health transfer from the Federal Government down to the Provinces — but the Provinces aren’t supposed to rely solely on that transfer to fund their health care systems. And that money typically doesn’t come with any strings attached (other than it be used for healthcare).

Crumbling systems are entirely the fault of the Provinces. The licensing of Doctors happens at the Provincial level (albeit by the various Provincial colleges), training and education happens at the Provincial level, hiring of Doctors and Nurses happens at the Provincial level, and the construction of hospitals happens at the Provincial level. And those are the parts of the system that have been failing, and mostly because successive Conservative Provincial governments have been starving the system.

Yaz

The bulk of which aren’t due to the Federal government, as in Canada the provision of healthcare services is the domain of the Provinces.

It’s notable that two of the Provinces with the worst problems are led by Conservative Premiers, who have been dismantling health care systems in their Province as a way to try to bring in more American-style private for-profit healthcare.

Yaz

Being "first to market" doesn't indicate something is unsafe or untested. Research into mRNA has been ongoing since the 1960s, and the first mRNA human vaccine trials started in 2001, with the first human clinical trials for a rabies mRNA vaccine starting in 2013.

In this case, "being first to market" is misleading, as mRNA vaccines already had 20 years of human testing by the time the first COVID-19 mRNA vaccines were approved.

Yaz

Hyundai’s keyfob does the same — but if you’ve parked at a mall (as one example) and are walking around with the keyfob in your pocket, the relay attack will work just fine (unless you’ve put the keyfob into a faraday pouch).

The motion sensor kill switch is great for when you’re at home and your key is in a drawer, but not otherwise.

Yaz

HOTP (and TOTP) wouldn’t help in this case, as it’s not that the authentication is being broken. The problem is that in allowing proximity alone to activate the authentication, you can create a simple RF bridge to fake the proximity portion. You don’t even need to parse the RF signal or bring it back into the digital domain — at their most basic, these devices aren’t snooping the authentication, nor doing a MITM attack — they just boost the signal from the keyfob, and relay signals from the car back to the fob, allowing the fob to authenticate even when it’s distant from the car.

The most mathematically perfect authentication in the world isn’t going to fix that. By allowing the convenience of allowing the car to unlock when the keyfob is apparently “near”, just by boosting the signal between fob and car when they’re not proximate allows those two devices to perform a normal authentication — and the device in the middle doesn’t even need to know how the authentication works, nor parse (nor try to hack/fake) the data being relayed. Better authentication doesn’t fix that — it’s an issue of the protocol making assumptions of proximity that are easily faked via basic signal boosting.

Hey, kinda like your post!

Yaz

The problem here is that the “real” key fob is still the one in this attack doing the authentication, so it will still work regardless.

The problem is that this authentication happens automatically based on proximity — and the attack fakes the proximity, and not the authentication. The authentication here is still real, and doesn’t need to be faked — they’re not doing a MITM attack, just providing a bridge such that the car thinks the fob is nearby, at which point they authenticate as expected.

Your proposed solution doesn’t fix this problem, as it’s not an authentication problem in the first place. The attackers aren’t faking the authentication, nor are they even providing it — they just provide an RF bridge to boost the signals such that the car and key think they are in proximity, at which point the car and key authenticate and unlock the vehicle.

Hyundai does at least have an automatic power-kill switch built into their fobs when they’re at rest; however I don’t know if this is in use in the UK (where it appears the majority of attacks of this sort against the IONIQ 5 are made).

Yaz

It is my understanding (as an IONIQ 5 owner) that Hyundai already has a partial solution in that once the fob is still for a few seconds, it effectively shuts itself off completely (and powers back up when it detects motion again).

This is great for a situation where you’re at home and your key is in a drawer, but isn’t as ideal in a situation where you’ve parked away from home and are walking around within relay distance with the key in your pocket — in which case it will remain powered on and can be relayed.

Yaz

Science makes no such claim. Indeed, science has yet to fully encapsulate what it means to be “alive” in the first place.

So stop claiming that science says what you want it to say, just because that’s the result you desire. That in and of itself is not science.

Yaz

Nope - didn’t forget; as you pointed out MS gave up on Xenix in the late 80’s, and I specifically stated (as you quoted) “UNIX wasn’t even on Microsoft’s radar in the 90’s”.

MS did some stuff with UNIX in the 70s and 80s, but by the 90s they were all in on DOS/Windows and Windows NT, with a bit of Mac OS (before it was UNIX based).

Yaz

Strong disagree. While creative types have long favoured Mac, most hard-core developers and power users eschewed it for other platforms — until around 2003/2004, when OS X became mature enough and developers with UNIX-style toolchains moved over in droves.

Go back to relevant /. stories around that timeframe, and you’ll see how common it suddenly become to go to conferences and see 80%+ of developer laptops being PowerBooks (and later MacBook Pro’s). That was virtually unheard of just a year prior — and a lot of devs still prefer it to Windows, because most UNIX-style commands and toolchains “just work”.

Yaz