The officially official Devuan Forum!

You are not logged in.

#26 2024-07-29 11:18:44

stargate-sg1-cheyenne-mtn
Member
Registered: 2023-11-27
Posts: 190  

Re: Why cloud dependency and push updates is a bad thing

here is former Google engineer Avery Pennarun — now the CEO/founder of Tailscale regarding the centralized nature(and central point of failure) that is the current www/web/cloud/internet/etc

https://tailscale.com/blog/new-internet

also see:

https://www.techradar.com/news/upcoming-windows-11-pro-update-will-force-you-to-have-an-internet-connection

iirc, apple also does this...


Be Excellent to each other and Party On!
https://www.youtube.com/watch?v=rph_1DODXDU
https://en.wikipedia.org/wiki/Bill_%26_Ted%27s_Excellent_Adventure
Do unto others as you would have them do instantaneously back to you!

Offline

#27 2024-07-29 14:37:47

golinux
Administrator
Registered: 2016-11-25
Posts: 3,316  

Re: Why cloud dependency and push updates is a bad thing

Sigh . . . in the windows article this:

This could negatively effect users in parts of the world without reliable internet . . .

Good grief . . . idiot writer doesn't know the difference between effect and affect. And they get paid to produce this drivel? We are doomed! LOL!

Offline

#28 2024-07-29 20:26:19

quickfur
Member
Registered: 2023-12-14
Posts: 431  

Re: Why cloud dependency and push updates is a bad thing

It's an article about Windows, whaddya expect? 😂

Nothing to see here, move along. 😜

Offline

#29 2024-07-29 20:39:01

golinux
Administrator
Registered: 2016-11-25
Posts: 3,316  

Re: Why cloud dependency and push updates is a bad thing

Good advice. Users on this forum deserve better than offerings like this..

Offline

#30 2024-07-29 23:37:44

The-Amnesiac-Philosopher
Member
Registered: 2023-08-24
Posts: 429  

Re: Why cloud dependency and push updates is a bad thing

My wife is a Flight Attendant for Delta Airlines.

A recent Windows' update completely broke their system...hundreds of flights cancelled...flight attendants stranded around the world...no way to get home...having to pay to stay in hotels themselves, buy their food, etc. This has been going on for over 2 weeks (maybe 3 weeks ???).

Two other major airlines were also affected by the update; however, they had backup plans. Both of those airlines had things backed** up and going within a week. Delta is STILL a mess.

Hey Delta...you ever thought of switching to Linux???

**EDIT: Changed "back" to "backed".

Last edited by The-Amnesiac-Philosopher (2024-07-29 23:42:52)

Offline

#31 2024-07-29 23:45:23

The-Amnesiac-Philosopher
Member
Registered: 2023-08-24
Posts: 429  

Re: Why cloud dependency and push updates is a bad thing

...at least Delta can afford to pay a pilot $20,000 to make an emergency overseas' flight for 17 hour's of work.

...and no, I'm not kidding.

Offline

#32 2024-07-30 00:57:33

quickfur
Member
Registered: 2023-12-14
Posts: 431  

Re: Why cloud dependency and push updates is a bad thing

This could be a great time to sell Devuan to Delta. tongue

Just don't get caught in a situation where the plane has to make an emergency landing and the pilot has to recompile the kernel...

Or the pilot needs to engage the emergency landing gear and discovers that he needs to download and install a driver from the non-free section of the repo first. :-D

Offline

#33 2024-07-30 01:02:25

quickfur
Member
Registered: 2023-12-14
Posts: 431  

Re: Why cloud dependency and push updates is a bad thing

Anyway, jokes aside, this whole fiasco is living proof of why forced push updates are Evil(tm).  The admin doesn't even have a chance to review whether or not to go ahead, Windows just updates itself without being told to, because it's simply too cool not to install the latest and greatest preemptive multitasking features, and show it off by simultaneously rebooting and crashing.

In a sane world, the admin would first be notified that updates are available, and if he was a sane person, he'd roll out updates gradually, to batches of terminals / endpoints, then test to see if everything is alright before proceeding to upgrade the rest of the endpoints.  But alas, we do not live in a sane world, and updates are just blindly pushed to all endpoints independently of the admin. People are putting a mighty lot o' trust in these Big Tech corporations, I gotta say.

Offline

#34 2024-07-30 02:42:22

soren
Member
Registered: 2023-04-30
Posts: 142  

Re: Why cloud dependency and push updates is a bad thing

@quickfur
As the old saying goes, "common sense is not so common anymore" rings true throughout the millennia. I have read conspiracies that there were possibly dark designs behind the breach that's why the file or whatever got zeroed out before it could be analyzed properly, possibly a fail safe mechanism built in just in case it did what it did last week and crashed millions of pc's, so in effect no one would get any value from the kernel crash dumps.

Offline

#35 2024-07-30 05:18:55

steve_v
Member
Registered: 2018-01-11
Posts: 381  

Re: Why cloud dependency and push updates is a bad thing

Dependence on cloud nonsense aside, this really comes down to crowdstrike's implementation:
* Falcon sensor is an old-school kernel driver (as opposed to running in a kernel VM, e.g. eBPF modules).
* It's also marked as boot-critical, so "safe mode" doesn't bypass it.
* It loads files (and potentially executable code too) from userland without sufficient input validation.
* It's written in C++, it's not memory-safe, and invalid data (in this case a bunch of literal nothing) in a definition update caused a null-pointer dereference.

IOW, this is a crowdstrike fuckup, and a pretty serious one at that. Whoever came up with the architecture for falcon sensor (at least on Windows) should be fired immediately.
Not only is this a fragile single point of failure, the apparent lack of input validation makes it a rootkit waiting to happen as soon as somebody manages to sneak in a compromised definition update.

There are ways to do something like this without producing a massive SPOF (or at least making it more easily recoverable), and this all stinks of arrogance and "infallibility culture" at crowdstrike.
Their big shiny selling point is "instant updates", and to achieve that they sidestepped driver validation and threw out decades of best-practice when it comes to running code in kernel space. This is ring-0 plug-n-play printer driver levels of "don't do that".
Perhaps it will wake their customers up to the peril of granting IDDQD rights to a bunch of chimpanzees.

AV vendors abusing their privs to do stupid things isn't remotely new, we've had gratuitous SSL tampering for years, we've had easily hijackable update mechanisms, and we've had products that decompress potentially malicious payloads in kernel-space, to mention just a few dumb ideas off the top of my head.
Surely by now somebody has realised that giving J.Random AV slinger god-mode in the name of "muh securitee" and "users are too stupid to be trusted" is a bad plan... Surely.

Last edited by steve_v (2024-07-30 05:43:20)


Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.

Offline

#36 2024-07-30 09:23:20

quickfur
Member
Registered: 2023-12-14
Posts: 431  

Re: Why cloud dependency and push updates is a bad thing

Unfortunately, where there is money to be made, such foolhardiness will continue to propagate.

Offline

Board footer