1 00:00:16,399 --> 00:00:18,640 Hello and welcome to another addition of Black 2 00:00:18,800 --> 00:00:21,359 Hills information security talking about news. We have 3 00:00:21,359 --> 00:00:23,039 a cast of characters here to talk about 4 00:00:23,039 --> 00:00:24,960 the crowds thing, but before we get started, 5 00:00:25,294 --> 00:00:26,330 I just wanna point out, 6 00:00:27,047 --> 00:00:30,553 you're gonna be fine. It's gonna be okay. 7 00:00:31,031 --> 00:00:32,147 Take deep breaths. 8 00:00:33,277 --> 00:00:35,188 Unless you're in an airport, then you're screwed. 9 00:00:35,745 --> 00:00:37,974 Or if you're running bit defender. If you're 10 00:00:37,974 --> 00:00:40,522 running bit defender, I saw somebody recommend on 11 00:00:40,682 --> 00:00:42,604 Twitter it's time to just like, walk out 12 00:00:42,604 --> 00:00:44,273 of the office and give up at that 13 00:00:44,273 --> 00:00:46,974 point. But other than those things, it's gonna 14 00:00:46,974 --> 00:00:49,755 be okay. We think most likely, 15 00:00:50,327 --> 00:00:52,155 So today we wanted to put this together 16 00:00:52,155 --> 00:00:54,064 because ambulance chasing is fun. We wanted to 17 00:00:54,064 --> 00:00:55,415 put together a bunch of people that kind 18 00:00:55,415 --> 00:00:57,721 of understand what's going on. So we could 19 00:00:57,721 --> 00:00:59,334 talk about it, but also comm commensurate 20 00:01:00,204 --> 00:01:02,524 if you're on discord, I wanna see those 21 00:01:02,524 --> 00:01:04,125 memes folks? Like, what are some of the 22 00:01:04,125 --> 00:01:06,204 best memes you're seeing from this crowds thing? 23 00:01:06,525 --> 00:01:07,424 This is cath. 24 00:01:07,819 --> 00:01:09,418 It helps us get through through these things. 25 00:01:09,737 --> 00:01:11,576 If I come across a flip and I'm 26 00:01:11,576 --> 00:01:13,574 joking and all of that, I'm not doing 27 00:01:13,574 --> 00:01:15,492 that to make light of anybody that's dealing 28 00:01:15,492 --> 00:01:18,459 with this situation and really struggling today. I'm 29 00:01:18,459 --> 00:01:20,127 doing it because we're trying to use this 30 00:01:20,127 --> 00:01:22,351 as laughter as the best medicine and we're 31 00:01:22,351 --> 00:01:25,632 laughing hopefully with you. We're not laughing at 32 00:01:25,688 --> 00:01:28,093 anybody I also want make it very clear 33 00:01:28,093 --> 00:01:30,565 that also goes for the engineers at Crowds 34 00:01:30,565 --> 00:01:30,804 strike. 35 00:01:31,442 --> 00:01:33,196 It's fun to make memes it's fun to 36 00:01:33,196 --> 00:01:34,631 make jokes every once in a while, but 37 00:01:34,711 --> 00:01:36,560 I want you to understand on the onset 38 00:01:36,560 --> 00:01:38,873 before we get started on this. Software dev 39 00:01:38,873 --> 00:01:41,128 for very large software projects is 40 00:01:41,505 --> 00:01:44,855 incredibly difficult. Kernel Dev is even more difficult. 41 00:01:45,348 --> 00:01:47,887 So please have a heart for the engineers. 42 00:01:48,602 --> 00:01:50,030 As far as the salespeople people that are 43 00:01:50,030 --> 00:01:52,252 trying to capitalize on this, don't don't give 44 00:01:52,252 --> 00:01:54,910 them no quarter at all. But honestly, 45 00:01:55,285 --> 00:01:57,510 we really wanna make sure that everyone understands 46 00:01:57,510 --> 00:01:59,178 this comes from a place of love. We're 47 00:01:59,178 --> 00:02:00,926 joking about it. We're trying to get through 48 00:02:00,926 --> 00:02:02,214 it. And it's kind of a little bit 49 00:02:02,214 --> 00:02:04,521 of gallo humor. I have Jo T to 50 00:02:04,521 --> 00:02:06,271 help talk about Colonel stuff and what's going 51 00:02:06,271 --> 00:02:09,314 on. Patterson Cake is here, runs our Ir 52 00:02:09,314 --> 00:02:10,294 practice at Phi. 53 00:02:10,914 --> 00:02:12,835 How many reboots is your son up to 54 00:02:12,835 --> 00:02:15,569 now. We're it we're 18 and counting. We're 55 00:02:15,569 --> 00:02:18,126 at 18 counting. 1 of those solutions was 56 00:02:18,126 --> 00:02:20,442 to keep rebooting the system 15 times and 57 00:02:20,442 --> 00:02:22,280 then magically the network stack would come up. 58 00:02:22,693 --> 00:02:24,837 Get an update from Crowds strike. His son 59 00:02:24,837 --> 00:02:26,903 is doing that for us, he's on 18. 60 00:02:27,141 --> 00:02:28,038 Now Patterson 61 00:02:28,491 --> 00:02:30,795 anytime any... Like we get into a wall 62 00:02:30,795 --> 00:02:32,797 in this. It kinda gets into that just 63 00:02:32,797 --> 00:02:34,391 shout out how many reboots were out. We 64 00:02:34,391 --> 00:02:36,383 just need to know because I was worried 65 00:02:36,383 --> 00:02:37,817 that that was just a lot of, like, 66 00:02:37,976 --> 00:02:39,273 hot air, but we're 19... 67 00:02:39,903 --> 00:02:41,176 19 counting. 68 00:02:42,051 --> 00:02:44,278 I got John Hammond. If there's anybody that 69 00:02:44,278 --> 00:02:47,315 knows malware knows virus knows with going on, 70 00:02:48,268 --> 00:02:49,142 except for today. 71 00:02:50,651 --> 00:02:53,034 All like, we're all like, what the hell? 72 00:02:53,272 --> 00:02:54,623 So I called up, John, and I'm like, 73 00:02:54,782 --> 00:02:56,211 dude, What the hell going on? He's like. 74 00:02:56,784 --> 00:02:58,460 I don't know. I haven't slept much, man. 75 00:02:59,417 --> 00:03:01,492 It's just really, really super busy, but we're 76 00:03:01,492 --> 00:03:03,407 really happy that John is here to help 77 00:03:03,407 --> 00:03:04,125 us talk about it. 78 00:03:04,858 --> 00:03:06,772 Matt is also on who... By the way, 79 00:03:06,932 --> 00:03:09,484 Matt works for Black Hills information security by 80 00:03:09,484 --> 00:03:11,797 the wearing this today. He is he is 81 00:03:11,797 --> 00:03:14,405 a full time employee of Black Hills information 82 00:03:14,683 --> 00:03:16,909 security much of the soc and surprised to 83 00:03:16,909 --> 00:03:19,293 other people at Black Hills information security. 84 00:03:20,009 --> 00:03:23,049 But he also is, like, bypass and exploit 85 00:03:23,049 --> 00:03:24,729 kernel level stuff at B I. 86 00:03:25,530 --> 00:03:27,609 Derek been around for a long time at 87 00:03:27,769 --> 00:03:29,849 B his. I think he's like, employee number 88 00:03:29,849 --> 00:03:30,729 6 or 7. 89 00:03:31,305 --> 00:03:33,224 Something. And he just keep showing up to 90 00:03:33,224 --> 00:03:35,384 these things. But he also is the lead 91 00:03:35,384 --> 00:03:36,905 on our sock services, 92 00:03:37,305 --> 00:03:38,745 so we wanna bring him in on this, 93 00:03:38,905 --> 00:03:40,753 and then we've got Jason. Who you all 94 00:03:40,753 --> 00:03:43,135 know, Jason is just like, here at kind 95 00:03:43,135 --> 00:03:45,199 of when we get 2 technical, dropping in 96 00:03:45,199 --> 00:03:47,898 questions, bring in hot takes, buddy little jokes 97 00:03:47,898 --> 00:03:50,297 and little jab, who And behind the scenes 98 00:03:50,297 --> 00:03:50,934 we have Ryan, 99 00:03:51,570 --> 00:03:54,536 and can everyone send Ryan, your your love 100 00:03:54,593 --> 00:03:55,627 because he has courage. 101 00:03:56,280 --> 00:03:58,919 He should not even be here. His boss 102 00:03:58,919 --> 00:04:01,080 is an asshole for making him come to 103 00:04:01,080 --> 00:04:04,120 work today. And, he's he put this all 104 00:04:04,120 --> 00:04:07,111 together for us. So round applause. For, Ryan 105 00:04:07,248 --> 00:04:09,637 for making this happen, we really really appreciate 106 00:04:09,637 --> 00:04:11,866 you, Ryan. He makes us look good and 107 00:04:11,866 --> 00:04:14,016 sound good, even whenever he doesn't feel like 108 00:04:14,016 --> 00:04:14,175 doing it. 109 00:04:15,626 --> 00:04:17,859 So, John, you gotta jump off because you 110 00:04:17,859 --> 00:04:19,693 got a very, very, very busy day. 111 00:04:20,650 --> 00:04:22,963 I first learned about this on Twitter, I 112 00:04:22,963 --> 00:04:23,783 jumped on 113 00:04:24,414 --> 00:04:26,249 and I saw a tweet from you early 114 00:04:26,249 --> 00:04:26,988 this morning 115 00:04:27,365 --> 00:04:29,120 about you're, like, hey, there appears to be 116 00:04:29,120 --> 00:04:30,715 some weird things happening. 117 00:04:31,194 --> 00:04:33,188 And I noticed it was, like, 05:00 in 118 00:04:33,188 --> 00:04:35,596 the morning, and that tweet was 3 or 119 00:04:35,596 --> 00:04:38,070 4 hours old. I was like, what the 120 00:04:38,070 --> 00:04:40,065 hell? So you've been working on this quite 121 00:04:40,065 --> 00:04:41,501 a bit. You're probably gonna have 1 hell 122 00:04:41,501 --> 00:04:43,032 of a day. That wanna give us kind 123 00:04:43,032 --> 00:04:44,946 of a rundown of when you first started 124 00:04:44,946 --> 00:04:46,620 hearing about it some... Because you're 1 of 125 00:04:46,620 --> 00:04:48,694 the first people in the industry that I 126 00:04:48,694 --> 00:04:49,970 know of that was kind of, like, throwing 127 00:04:49,970 --> 00:04:51,246 the alarm belt. You kinda give us a 128 00:04:51,246 --> 00:04:53,439 little bit of... Timeline from your perspective 129 00:04:53,740 --> 00:04:54,699 about what's happened here? 130 00:04:56,139 --> 00:04:57,259 Yeah. Thank you so much. 131 00:04:57,980 --> 00:04:59,740 Well, hey, I'll admit. I'm over in the 132 00:04:59,900 --> 00:05:00,300 Pacific time. 133 00:05:00,952 --> 00:05:03,099 Kicking it over in California. So it was 134 00:05:03,099 --> 00:05:05,484 like, 10 or 11:30 ish, and I was 135 00:05:05,484 --> 00:05:07,233 thinking like, well, goodness. We gotta get a 136 00:05:07,233 --> 00:05:09,300 video out tomorrow for some other thing that 137 00:05:09,459 --> 00:05:11,066 I wanted to do, But then I saw 138 00:05:11,066 --> 00:05:11,566 this 139 00:05:12,022 --> 00:05:15,072 fire start to burn in on the subreddit 140 00:05:15,687 --> 00:05:17,360 crowds strike? Crowds strike subreddit. 141 00:05:18,093 --> 00:05:19,768 And folks trying to, hey, starting to flag 142 00:05:19,768 --> 00:05:22,081 it, and I really have the hunch. This 143 00:05:22,081 --> 00:05:23,915 is gonna absolutely imp. 144 00:05:24,633 --> 00:05:26,308 Now were you seeing some of the the 145 00:05:26,308 --> 00:05:28,079 the earliest stuff that I saw appeared to 146 00:05:28,079 --> 00:05:30,396 start in Australia and New Zealand. Is that 147 00:05:30,396 --> 00:05:31,755 kinda of where you started seeing it pop 148 00:05:31,755 --> 00:05:33,753 up there? I know. Due to the time 149 00:05:33,753 --> 00:05:35,670 zone, those folks are awake and still tracking 150 00:05:35,670 --> 00:05:37,678 things are the day? I'll admit. I think 151 00:05:37,678 --> 00:05:40,941 the earliest I saw was 09:57PM 152 00:05:41,101 --> 00:05:43,886 Pacific, and that was just the starting gun 153 00:05:44,284 --> 00:05:47,403 on the crowds subreddit. But I believe everyone 154 00:05:47,403 --> 00:05:49,712 chi in, but all the comments and responses 155 00:05:49,712 --> 00:05:51,623 to said, hey, yeah. We're already down and 156 00:05:51,623 --> 00:05:53,374 have been fighting fires here in Australia and 157 00:05:53,454 --> 00:05:55,062 New Zealand whatever. Etcetera. Mh. 158 00:05:55,860 --> 00:05:57,536 And then Us, and I think the rest 159 00:05:57,536 --> 00:05:58,892 of the world started to wake up to 160 00:05:58,892 --> 00:06:00,009 it slowly but surely. 161 00:06:02,336 --> 00:06:03,928 What else can I color the picture on 162 00:06:03,928 --> 00:06:04,406 here for? 163 00:06:05,122 --> 00:06:08,226 So so whenever you first started seeing this 164 00:06:08,226 --> 00:06:09,739 pop up, what was the first ink? I 165 00:06:09,739 --> 00:06:11,545 mean, we know that as there was something 166 00:06:11,664 --> 00:06:13,257 I mean, it seemed to me like we 167 00:06:13,257 --> 00:06:15,647 knew very early on. It was Microsoft and 168 00:06:15,647 --> 00:06:18,356 crowds together. That's what the issue was. Right? 169 00:06:18,849 --> 00:06:20,202 But it took a little while to figure 170 00:06:20,202 --> 00:06:22,511 out exactly what was the sis driver? 171 00:06:23,069 --> 00:06:25,059 Like, how long did that kind take from 172 00:06:25,139 --> 00:06:26,731 Has. That everything is on fire. 173 00:06:27,304 --> 00:06:30,497 Here's possibly what it's causing to causing it 174 00:06:30,497 --> 00:06:32,333 to be on fire? Was that, like, an 175 00:06:32,333 --> 00:06:34,089 hour 2 hours, how long do you think 176 00:06:34,089 --> 00:06:36,498 that time window was between Oops sees? Too. 177 00:06:36,657 --> 00:06:38,010 Here's what we gotta do to deal with 178 00:06:38,010 --> 00:06:40,398 it. It's actually pretty neat. I think you 179 00:06:40,398 --> 00:06:41,989 can see, and I'm trying to see if 180 00:06:42,069 --> 00:06:42,626 I can 181 00:06:43,024 --> 00:06:45,173 track it down in the reddit post just 182 00:06:45,173 --> 00:06:46,942 as well there was I think about a 183 00:06:46,942 --> 00:06:50,077 20 minute delta from when... Hey, some sales 184 00:06:50,135 --> 00:06:53,568 engineer representative from Crowds said, hey, we're aware 185 00:06:53,568 --> 00:06:56,535 we're seeing widespread reports pretty good bath, etcetera, 186 00:06:56,853 --> 00:06:58,765 etcetera. We'll try to get a a tech 187 00:06:58,765 --> 00:07:01,155 alert or whatever they call their advisor messaging 188 00:07:01,155 --> 00:07:01,952 and knowledge based stuff. 189 00:07:02,907 --> 00:07:04,795 So that was a 20 minute delta, pretty 190 00:07:04,914 --> 00:07:07,376 And then about 15 minutes following the technical 191 00:07:07,376 --> 00:07:09,068 alert came out. And then 192 00:07:09,998 --> 00:07:12,302 around that time, I would say 40 to 193 00:07:12,302 --> 00:07:14,567 50 minutes, maybe an hour is when they 194 00:07:14,705 --> 00:07:17,495 identified. Hey, we are seeing this cs s 195 00:07:17,495 --> 00:07:19,908 agent dot sis colonel driver being problematic. 196 00:07:20,285 --> 00:07:22,370 It looks like I... And I'm not super 197 00:07:22,370 --> 00:07:24,512 a thousand percent confident on whether it's loading, 198 00:07:24,671 --> 00:07:28,478 some of these c hyphen 00291 199 00:07:28,716 --> 00:07:30,649 Dot whatever dryers pile. Yeah Yeah. 200 00:07:31,449 --> 00:07:34,089 But those are the hiccups. Those are the 201 00:07:34,089 --> 00:07:36,089 issues. So you've got folks trying to share 202 00:07:36,089 --> 00:07:38,225 some quick scrappy workarounds and 203 00:07:38,823 --> 00:07:41,136 mitigation of, hey, just rename the folder path, 204 00:07:41,535 --> 00:07:42,970 rename it so that way it won't load 205 00:07:42,970 --> 00:07:43,529 the driver. 206 00:07:44,167 --> 00:07:46,240 Bear in mind that will completely triple crowds 207 00:07:46,240 --> 00:07:47,995 strikes, so your mileage may vary with that. 208 00:07:48,965 --> 00:07:50,955 I was kinda going back and forth screaming 209 00:07:50,955 --> 00:07:53,126 and shouting on Twitter when I saw Brody 210 00:07:53,501 --> 00:07:55,491 from, I think the director of Overwatch. 211 00:07:56,142 --> 00:07:58,131 On at Crowds strikes screw. Saying, like, look, 212 00:07:58,369 --> 00:07:59,801 here's a little bit more pointed a little 213 00:07:59,801 --> 00:08:01,790 bit more targeted. Make sure you can get 214 00:08:01,790 --> 00:08:02,687 into safe mode 215 00:08:02,998 --> 00:08:08,569 and use the commands to remove the C29001 216 00:08:08,569 --> 00:08:09,069 sis 217 00:08:09,524 --> 00:08:09,843 suffix, 218 00:08:10,654 --> 00:08:13,214 colonel files and drivers. And that was much 219 00:08:13,214 --> 00:08:15,314 sharper and much more accurate than 220 00:08:15,694 --> 00:08:18,014 just rename the folder path and Yeah because 221 00:08:18,014 --> 00:08:20,498 it doesn't much strike Judge completely break crowds 222 00:08:20,498 --> 00:08:22,247 strike at that. Right. Right. Right. Though. 223 00:08:23,361 --> 00:08:25,508 I don't wanna, hey, ramble for too long. 224 00:08:25,667 --> 00:08:27,272 So if I'm up he's strike look. No 225 00:08:27,431 --> 00:08:30,212 No. Please. Please please. No. But, obviously, I 226 00:08:30,212 --> 00:08:31,484 think a lot of folks will raise their 227 00:08:31,484 --> 00:08:32,835 hand and say, hang on wait a second. 228 00:08:33,471 --> 00:08:35,322 You really want me to do that manually 229 00:08:35,457 --> 00:08:37,704 across... However, many 50000 points. 230 00:08:38,741 --> 00:08:41,293 Yes. That is the crux of the issue, 231 00:08:42,090 --> 00:08:43,069 and you can 232 00:08:44,084 --> 00:08:46,012 expand that and extend that to whatever... Scale 233 00:08:46,012 --> 00:08:48,158 and size you might like. And folks are 234 00:08:48,158 --> 00:08:49,907 saying, like, well, wait a second. That only 235 00:08:49,907 --> 00:08:51,281 works if you aren't using 236 00:08:51,894 --> 00:08:53,086 bit bitlocker encryption, 237 00:08:53,895 --> 00:08:55,824 it's going harder to do that at scale 238 00:08:55,880 --> 00:08:58,023 because right, you'd need the bitlocker recovery key 239 00:08:58,023 --> 00:08:58,976 to be able to get into, 240 00:08:59,770 --> 00:09:00,825 that safe mode to. 241 00:09:01,454 --> 00:09:03,789 On on reddit, that I'm hearing, like systems 242 00:09:04,087 --> 00:09:06,243 administrators that are straight up, Like, yeah. I 243 00:09:06,243 --> 00:09:08,158 need to get the recovery keys. It's on 244 00:09:08,158 --> 00:09:09,116 my notebook computer. 245 00:09:10,009 --> 00:09:12,003 Which is blue screened, and I don't have 246 00:09:12,003 --> 00:09:15,831 recovery keys for that system. Like, it's bad. 247 00:09:16,389 --> 00:09:18,144 Like, if... I mean I was joking about 248 00:09:18,144 --> 00:09:20,394 the whole bit bitlocker thing, but This is 249 00:09:20,394 --> 00:09:22,475 1 of those situations where our security products 250 00:09:22,475 --> 00:09:23,915 are getting in the way of our security 251 00:09:23,915 --> 00:09:26,394 products at point. Not just bitlocker. It's probably 252 00:09:26,394 --> 00:09:28,254 any encryption. It is any. 253 00:09:28,795 --> 00:09:28,875 Right? 254 00:09:30,083 --> 00:09:32,464 Got it. Just watching discord explode with the 255 00:09:32,464 --> 00:09:34,686 memes. Keep them going, keep them annoying. I 256 00:09:34,686 --> 00:09:36,431 don't know memes. I just saw the Steve 257 00:09:36,511 --> 00:09:38,511 Ko meme pop up. And 258 00:09:39,069 --> 00:09:41,081 I never thought I'd see a Steve Ko 259 00:09:41,138 --> 00:09:43,686 meme in an It security webcast, but here 260 00:09:43,686 --> 00:09:45,516 we are in Ko Khaki. 261 00:09:46,408 --> 00:09:48,961 May I... I'm sorry. I don't mean to 262 00:09:48,961 --> 00:09:51,834 stop no. I'd I I'd love to have 263 00:09:51,834 --> 00:09:53,510 all of your hot take in your ex. 264 00:09:53,604 --> 00:09:55,191 Expert opinion pigeon because I know there's been 265 00:09:55,191 --> 00:09:57,175 some chatter where folks are saying, hey, you 266 00:09:57,175 --> 00:09:59,873 can use group policy, push out some automated 267 00:09:59,873 --> 00:10:02,230 tasking and then forced the safe mode for 268 00:10:02,587 --> 00:10:04,813 configuration change, blah blah blah, and that is... 269 00:10:05,290 --> 00:10:07,038 I think what some folks are saying, oh, 270 00:10:07,277 --> 00:10:08,492 might be some 271 00:10:08,866 --> 00:10:10,535 to this headache. But wait wait a minute 272 00:10:10,535 --> 00:10:10,615 know. 273 00:10:11,584 --> 00:10:13,662 If we look at this, you can't even 274 00:10:13,662 --> 00:10:16,539 boot. Like more back isn't coming up. Right. 275 00:10:16,779 --> 00:10:19,257 So group policy, I don't know who... Unless 276 00:10:19,257 --> 00:10:20,455 there's some kind of new thing that's out 277 00:10:20,455 --> 00:10:22,384 there And Like you said, if you're on 278 00:10:22,384 --> 00:10:24,053 discord with us. If you have a link 279 00:10:24,053 --> 00:10:26,360 about that, that would be great. But, apparently, 280 00:10:26,519 --> 00:10:27,950 1 of the things they said is reboot 281 00:10:27,950 --> 00:10:30,574 the system 15 times, the network stack will 282 00:10:30,574 --> 00:10:31,051 come back up, 283 00:10:31,784 --> 00:10:34,182 Crowds strike can reach out and pull down 284 00:10:34,182 --> 00:10:36,419 an update that nukes this file and solves 285 00:10:36,419 --> 00:10:39,296 the issue. We're testing that now. Patterson, what 286 00:10:39,296 --> 00:10:40,175 do we at for reboots? 287 00:10:41,307 --> 00:10:44,641 I, I fear at, 18 or 19, my 288 00:10:44,641 --> 00:10:45,593 my volunteer staff, 289 00:10:46,466 --> 00:10:46,966 quit. 290 00:10:47,895 --> 00:10:48,212 Yeah. 291 00:10:48,783 --> 00:10:48,943 There... 292 00:10:49,659 --> 00:10:52,604 My volunteer staff is directly struggling with this 293 00:10:52,604 --> 00:10:54,355 issue in the enterprise, and so and all 294 00:10:54,355 --> 00:10:54,833 seriousness, 295 00:10:55,310 --> 00:10:58,357 They they were testing this as a potential 296 00:10:59,067 --> 00:11:01,221 solution and and it's just a a non 297 00:11:01,221 --> 00:11:03,454 starter. I I've seen reports that it's worked 298 00:11:03,454 --> 00:11:06,086 for some folk. I have 2 2 direct 299 00:11:06,086 --> 00:11:08,732 contacts and 2 significant enterprises in both have 300 00:11:08,732 --> 00:11:12,545 failed to see any resolution literally up to 301 00:11:12,545 --> 00:11:14,531 18, 19 reboots on a handful systems. 302 00:11:15,802 --> 00:11:18,105 Yeah. Your mileage may vary, but that is 303 00:11:18,105 --> 00:11:20,585 the pretty clearly not a silver bullet at 304 00:11:20,585 --> 00:11:21,722 this point unfortunately. 305 00:11:22,335 --> 00:11:24,641 Yeah. That that that test of 2 systems 306 00:11:24,641 --> 00:11:26,391 that we're going on not looking good. 307 00:11:27,362 --> 00:11:29,516 George just pointed out, let's go to 50. 308 00:11:30,154 --> 00:11:32,148 Let's see what that does. Maybe that'll do 309 00:11:32,148 --> 00:11:34,700 it. You never know. You never know. You 310 00:11:34,700 --> 00:11:36,295 never know. Once you get to the hundred, 311 00:11:36,375 --> 00:11:39,266 it's that's working out here. Yeah. Just. A 312 00:11:39,266 --> 00:11:41,103 quick question for everyone here. Like, it it 313 00:11:41,103 --> 00:11:42,941 used to be Info tech Twitter was the 314 00:11:42,941 --> 00:11:45,504 place to go and So find answers and 315 00:11:45,504 --> 00:11:47,889 solutions. Like, is there a centralized place right 316 00:11:47,889 --> 00:11:48,604 now where people were... 317 00:11:49,399 --> 00:11:51,307 I'm I still went... I still went to 318 00:11:51,466 --> 00:11:51,625 Twitter. 319 00:11:52,278 --> 00:11:53,873 And read it. Those are the 2 places 320 00:11:53,873 --> 00:11:54,431 that I'm at. 321 00:11:55,468 --> 00:11:57,702 This might get me back on the Twitter 322 00:11:57,702 --> 00:11:59,797 because that's where I'm getting probably the best 323 00:11:59,855 --> 00:12:01,745 information and the best communication with 324 00:12:02,261 --> 00:12:03,928 some of the top people on this, and 325 00:12:04,087 --> 00:12:05,198 I don't know what you all think, but 326 00:12:05,198 --> 00:12:06,548 it's reddit and Twitter for me is where 327 00:12:06,627 --> 00:12:08,056 I'm I'm getting all of my information on 328 00:12:08,056 --> 00:12:10,438 that. And, of course, for the His discord 329 00:12:10,438 --> 00:12:12,522 server. I would also add Linkedin into this. 330 00:12:13,080 --> 00:12:15,708 I'd not want to usually promote Linkedin for 331 00:12:15,708 --> 00:12:18,018 a threat intel, but, be very... It's actually 332 00:12:18,018 --> 00:12:19,771 really surprising how much sharing has been done. 333 00:12:20,581 --> 00:12:21,852 Just trying to follow along There's been a 334 00:12:21,852 --> 00:12:23,838 lot of sharing of code in reverse engineering, 335 00:12:24,156 --> 00:12:26,642 kinda figure it all out through Linkedin. And 336 00:12:26,778 --> 00:12:28,299 so Put Linkedin. 337 00:12:28,854 --> 00:12:29,092 Yeah. 338 00:12:29,884 --> 00:12:31,232 Yeah. I'd I'd I echo that to you. 339 00:12:31,470 --> 00:12:33,768 A Twitter Twitter and Linkedin combination there, 340 00:12:34,975 --> 00:12:36,975 I I tend to lean into Twitter first, 341 00:12:38,414 --> 00:12:40,335 and then, lean on my friends like Matt. 342 00:12:40,495 --> 00:12:40,735 Yeah, 343 00:12:41,855 --> 00:12:42,575 so, yeah. 344 00:12:43,147 --> 00:12:45,051 Who is an employee of Phi by the 345 00:12:45,051 --> 00:12:45,924 way, just for the wreck. 346 00:12:46,956 --> 00:12:48,860 Oh Yeah. I've heard that. Yeah. 347 00:12:49,654 --> 00:12:51,320 So it it's it's kind of interesting that... 348 00:12:51,815 --> 00:12:53,915 Matt and I work very deeply 349 00:12:54,375 --> 00:12:57,014 with lots of malware development. So the minute, 350 00:12:57,815 --> 00:12:58,295 we heard, 351 00:12:59,346 --> 00:13:01,255 of this issue. We both were like, we 352 00:13:01,255 --> 00:13:02,209 know exactly what this is. 353 00:13:03,560 --> 00:13:06,025 So oh, my camera's mirrored apparently. Okay. 354 00:13:07,153 --> 00:13:09,460 Does it... Which is my best side. Is 355 00:13:09,460 --> 00:13:11,232 it this side with this 356 00:13:12,959 --> 00:13:14,311 but it's the side that has the hat 357 00:13:14,311 --> 00:13:16,080 on? You need the hat. Yeah. I need 358 00:13:16,080 --> 00:13:18,720 the hat. Right? I'm, I'm going to mirror 359 00:13:18,720 --> 00:13:21,039 my camera. So that was scary. My god. 360 00:13:21,200 --> 00:13:23,679 That's nausea. Yeah. I saw a lot of 361 00:13:23,679 --> 00:13:24,000 people. 362 00:13:24,573 --> 00:13:26,082 Can you give us a little bit of 363 00:13:26,082 --> 00:13:28,385 information like, okay. So we know that this... 364 00:13:28,544 --> 00:13:30,768 This file is a channel file, And I 365 00:13:30,768 --> 00:13:32,515 scrambled all over the Internet trying to figure 366 00:13:32,515 --> 00:13:33,945 out what the hell a channel file that's 367 00:13:34,119 --> 00:13:35,877 actually, how I opened up my conversation with 368 00:13:36,037 --> 00:13:36,996 John and invited him on. 369 00:13:37,715 --> 00:13:39,873 And but, you know, because Crowds people are 370 00:13:39,873 --> 00:13:41,791 saying, oh, it's a channel file. It's not 371 00:13:41,791 --> 00:13:44,115 like a full update. So what I was 372 00:13:44,115 --> 00:13:46,098 able to find out from channel files from, 373 00:13:46,495 --> 00:13:48,717 Mike Fell, you stay ready, who's over at 374 00:13:48,717 --> 00:13:51,097 trusted, a good friend of B his. 375 00:13:51,589 --> 00:13:53,982 Is this is a file for minor updates, 376 00:13:55,019 --> 00:13:58,211 definition updates, very, very small tactical updates. 377 00:13:58,863 --> 00:14:00,612 And the thing that I was kind of 378 00:14:00,612 --> 00:14:02,441 working off of and trying to figure out 379 00:14:02,441 --> 00:14:04,905 is this this something that's generated through automated 380 00:14:04,905 --> 00:14:07,075 means like God help me for saying this 381 00:14:07,132 --> 00:14:07,927 artificial intelligence? 382 00:14:08,499 --> 00:14:11,133 And threaten until pushing updates down systems or 383 00:14:11,133 --> 00:14:12,010 is it manual. 384 00:14:12,409 --> 00:14:14,325 And he said based on his information, which 385 00:14:14,325 --> 00:14:15,602 may be out of date by a couple 386 00:14:15,602 --> 00:14:16,341 of years 387 00:14:16,654 --> 00:14:18,410 it was very much manual. 388 00:14:19,208 --> 00:14:21,362 It was a manual like file for these 389 00:14:21,362 --> 00:14:23,357 updates that could pushed down, but like little 390 00:14:23,357 --> 00:14:24,155 quick tweaks. 391 00:14:24,728 --> 00:14:27,276 So it wasn't an automated thing, and then 392 00:14:27,276 --> 00:14:29,187 people started cracking this thing open, 393 00:14:29,904 --> 00:14:31,895 and it was full of null. It was 394 00:14:31,895 --> 00:14:33,981 full of zeros. Now Can you and Matt 395 00:14:33,981 --> 00:14:36,132 talk a little bit about where does crowds 396 00:14:36,132 --> 00:14:37,190 strike exist 397 00:14:37,567 --> 00:14:39,001 as it relates to the hurdle? 398 00:14:39,559 --> 00:14:40,276 And, like, 399 00:14:41,009 --> 00:14:43,722 what what the hell going on with AAA 400 00:14:43,722 --> 00:14:45,020 file full of null 401 00:14:45,478 --> 00:14:47,952 coming into it and like, how that impacts 402 00:14:47,952 --> 00:14:51,000 the kernel itself? Yeah. Yeah. Absolutely. So so 403 00:14:51,000 --> 00:14:51,798 when you're looking at, 404 00:14:52,756 --> 00:14:53,873 these defensive products, 405 00:14:54,512 --> 00:14:56,826 a modern day, Ed, D, 406 00:14:58,038 --> 00:14:59,313 marketing acronym of choice. 407 00:15:00,110 --> 00:15:00,906 There are always, 408 00:15:01,464 --> 00:15:04,173 we're typically in in in well developed products, 409 00:15:05,224 --> 00:15:07,376 layers of that product that operate in the 410 00:15:07,376 --> 00:15:10,645 kernel of the operating system and also operate 411 00:15:10,645 --> 00:15:13,037 in what we call the user land space. 412 00:15:13,276 --> 00:15:13,436 Right? 413 00:15:14,968 --> 00:15:17,205 Kernel development, when you when you look at... 414 00:15:17,685 --> 00:15:19,762 So the channel file that we're actually talking 415 00:15:19,762 --> 00:15:21,600 about has an extension of dot sis. 416 00:15:22,253 --> 00:15:24,636 Are in in Windows land, that means it's 417 00:15:24,636 --> 00:15:26,145 a kernel driver. Okay? 418 00:15:28,051 --> 00:15:31,148 Kernel... A driver development is a very specialized 419 00:15:31,148 --> 00:15:31,307 skill. 420 00:15:32,195 --> 00:15:32,512 It is, 421 00:15:35,366 --> 00:15:37,506 it is a skill that you have to 422 00:15:37,506 --> 00:15:38,006 get 423 00:15:38,379 --> 00:15:41,582 exactly right. Because when you're developing code in 424 00:15:41,582 --> 00:15:42,221 the kernel, 425 00:15:42,781 --> 00:15:44,080 there are no safeguards. 426 00:15:45,418 --> 00:15:47,836 You are responsible for managing all the memory 427 00:15:48,055 --> 00:15:51,010 allocations you are responsible for for managing all 428 00:15:51,010 --> 00:15:54,106 the resources and releasing them correctly. You are 429 00:15:54,106 --> 00:15:56,092 responsible for managing the memory space, 430 00:15:56,743 --> 00:15:59,050 of the a driver that you are developing 431 00:15:59,050 --> 00:16:01,755 and maintaining and you... And you are God 432 00:16:01,755 --> 00:16:04,483 at driver level. You can write to anything 433 00:16:04,540 --> 00:16:05,358 in the kernel 434 00:16:05,985 --> 00:16:07,889 and the user space of the operating system 435 00:16:07,889 --> 00:16:09,555 that you want to write to. So it 436 00:16:09,555 --> 00:16:12,197 is a very high trust 437 00:16:13,063 --> 00:16:13,563 development 438 00:16:14,259 --> 00:16:14,759 environment. 439 00:16:15,295 --> 00:16:17,687 Okay? So if we go back historically for 440 00:16:17,687 --> 00:16:20,319 a minute, there there was a time pre 441 00:16:20,478 --> 00:16:21,377 Windows vista 442 00:16:22,801 --> 00:16:23,301 where 443 00:16:23,913 --> 00:16:24,413 most 444 00:16:24,787 --> 00:16:26,876 antivirus products at that time 445 00:16:27,329 --> 00:16:29,894 used to put hooks into the kernel, 446 00:16:31,565 --> 00:16:34,065 Ss, there's, it's a des distributor table 447 00:16:34,845 --> 00:16:38,045 that various kernel calls we're using, and they 448 00:16:38,045 --> 00:16:40,615 with it was it the global interrupt table 449 00:16:40,615 --> 00:16:43,009 that they were hooking into? Wolf that's local. 450 00:16:43,169 --> 00:16:43,669 It 451 00:16:44,127 --> 00:16:45,883 for each job. Okay. Go ahead. Yeah. It 452 00:16:45,883 --> 00:16:46,681 was global. And, 453 00:16:47,892 --> 00:16:48,369 This 454 00:16:49,005 --> 00:16:49,505 Microsoft 455 00:16:49,880 --> 00:16:52,845 started getting upset with the community because 456 00:16:53,219 --> 00:16:55,207 if they made a mistake doing this, 457 00:16:55,860 --> 00:16:58,579 they would destabilize the kernel and result in 458 00:16:58,579 --> 00:17:00,179 in what we're seeing today, right, which is 459 00:17:00,179 --> 00:17:02,579 a blue screen of death. Otherwise known as 460 00:17:02,579 --> 00:17:04,194 as a colonel crash. Right? 461 00:17:05,075 --> 00:17:06,194 And so Microsoft, 462 00:17:06,914 --> 00:17:08,855 with the release of Vista kicked 463 00:17:09,474 --> 00:17:10,454 the the 464 00:17:10,755 --> 00:17:13,327 virus community at that time out. Of the 465 00:17:13,327 --> 00:17:16,058 kernel, and they introduced the technology called Patch. 466 00:17:17,310 --> 00:17:17,810 Patch, 467 00:17:18,426 --> 00:17:18,926 basically, 468 00:17:20,353 --> 00:17:23,380 said, you can no longer directly patch the 469 00:17:23,380 --> 00:17:25,053 des descriptive tables in the kernel. You're not 470 00:17:25,053 --> 00:17:26,806 allowed to period. And if you do, 471 00:17:27,523 --> 00:17:29,037 we will bug check the system, 472 00:17:29,769 --> 00:17:31,527 and others, we'll will crash the system. Right? 473 00:17:32,006 --> 00:17:32,506 So 474 00:17:33,364 --> 00:17:34,003 naturally, the 475 00:17:34,643 --> 00:17:36,800 virus community at that time, 476 00:17:37,612 --> 00:17:39,843 and the emerging, you know, Ed x d 477 00:17:39,843 --> 00:17:40,560 community eventually. 478 00:17:41,356 --> 00:17:43,348 They were not too happy with that. And 479 00:17:43,348 --> 00:17:46,397 so what happened as we move forward is 480 00:17:46,789 --> 00:17:47,109 These, 481 00:17:48,070 --> 00:17:51,690 vendors started doing what's called user land hooking 482 00:17:52,230 --> 00:17:54,950 in their products. So they would patch into 483 00:17:54,950 --> 00:17:57,039 in the user space not the kernel space, 484 00:17:57,835 --> 00:18:00,302 the D in windows that we all know 485 00:18:00,302 --> 00:18:02,610 and love as nt D l dot d, 486 00:18:03,326 --> 00:18:07,022 which means they were redirecting not Api calls 487 00:18:07,078 --> 00:18:08,824 in the Windows operating system so that they 488 00:18:08,824 --> 00:18:11,522 could get telemetry about what's going on in 489 00:18:11,522 --> 00:18:12,077 the system. 490 00:18:12,791 --> 00:18:13,902 At the same time, 491 00:18:14,554 --> 00:18:17,824 They were petition Microsoft. You've got to let 492 00:18:17,824 --> 00:18:19,259 us back into the kernel. 493 00:18:19,818 --> 00:18:22,450 We really really don't like this situation of 494 00:18:22,450 --> 00:18:23,907 having to hook every process 495 00:18:24,379 --> 00:18:26,050 and do all this extra work in user 496 00:18:26,050 --> 00:18:28,278 land just because you won't let us tamper 497 00:18:28,278 --> 00:18:28,914 with the Colonel. 498 00:18:30,108 --> 00:18:32,495 Eventually, and I don't know what actually transpired, 499 00:18:32,575 --> 00:18:34,339 of course, I'm not a my Microsoft employee, 500 00:18:34,737 --> 00:18:37,756 but eventually, Microsoft Rene and said, okay, we 501 00:18:37,756 --> 00:18:40,640 are going to give you some limited means 502 00:18:41,172 --> 00:18:42,149 for you to 503 00:18:43,016 --> 00:18:46,222 develop drivers in the Kernel and listen to 504 00:18:46,518 --> 00:18:46,757 telemetry. 505 00:18:47,951 --> 00:18:50,593 And because that was their primary request. And 506 00:18:50,593 --> 00:18:52,687 the telemetry came in the form 507 00:18:53,302 --> 00:18:55,715 of what's called kernel callback 508 00:18:56,250 --> 00:18:56,490 notifications. 509 00:18:57,127 --> 00:18:59,380 And there's multiple different kernel callback 510 00:18:59,836 --> 00:19:02,719 notifications that are involved with colonel drivers. There 511 00:19:02,719 --> 00:19:03,936 are. 1 512 00:19:04,392 --> 00:19:05,666 I wanna jump in real quick on that 513 00:19:05,666 --> 00:19:06,065 history. 514 00:19:06,622 --> 00:19:09,092 There was a huge dust up between S 515 00:19:09,092 --> 00:19:11,411 semantic. And Mca at that time because they 516 00:19:11,411 --> 00:19:13,952 were the main antivirus vendors. And basically, what 517 00:19:13,952 --> 00:19:16,175 they were planning on doing was just exploiting 518 00:19:16,175 --> 00:19:18,002 the Windows kernel to get the level of 519 00:19:18,002 --> 00:19:19,009 access that they need it 520 00:19:19,842 --> 00:19:22,140 and before it actually right really ugly in 521 00:19:22,140 --> 00:19:23,987 the streets because that was the threat 522 00:19:24,359 --> 00:19:26,182 antitrust. We're just gonna write exploits for it. 523 00:19:26,992 --> 00:19:28,982 Microsoft caved, and this is the kind of 524 00:19:28,982 --> 00:19:32,008 inter in a immediate intermediary solution. So go 525 00:19:32,008 --> 00:19:33,760 ahead, keep going, jo. Yeah. Yeah. So that's 526 00:19:33,760 --> 00:19:35,950 exactly right. So These kernel 527 00:19:36,330 --> 00:19:36,830 callback 528 00:19:37,210 --> 00:19:39,470 notifications are in the form of 529 00:19:39,850 --> 00:19:41,210 a table in memory. 530 00:19:41,690 --> 00:19:43,150 And what happens is 531 00:19:43,463 --> 00:19:46,647 that when a driver installs itself and gets 532 00:19:46,647 --> 00:19:47,045 loaded, 533 00:19:47,920 --> 00:19:48,898 it will 534 00:19:50,228 --> 00:19:51,842 register a callback 535 00:19:52,297 --> 00:19:52,797 notification 536 00:19:53,108 --> 00:19:56,286 that that driver wants to listen to. And 537 00:19:56,286 --> 00:19:59,386 basically, it's telling the Windows kernel when certain 538 00:19:59,386 --> 00:20:03,637 events happen, tell me about that event. And 539 00:20:03,694 --> 00:20:05,126 there are names for these things. 540 00:20:05,842 --> 00:20:09,198 There is a process create notified routine, a 541 00:20:09,198 --> 00:20:12,539 create thread notify routine, a load image routine, 542 00:20:13,017 --> 00:20:16,517 a object register callback routine as well as 543 00:20:16,517 --> 00:20:17,017 a 544 00:20:17,392 --> 00:20:17,631 registry, 545 00:20:18,361 --> 00:20:19,973 activity routine. So 546 00:20:20,744 --> 00:20:23,468 the community was relatively happy 547 00:20:23,921 --> 00:20:26,701 that they got the telemetry back that they 548 00:20:26,701 --> 00:20:27,018 need it, 549 00:20:27,749 --> 00:20:28,946 But bear in mind, 550 00:20:30,303 --> 00:20:32,320 the when you are developing 551 00:20:32,698 --> 00:20:35,114 drivers that listen to these callback 552 00:20:35,811 --> 00:20:36,050 notifications, 553 00:20:36,624 --> 00:20:38,638 The kernel is still vulnerable 554 00:20:39,573 --> 00:20:43,101 if that driver that it receives the notification 555 00:20:43,557 --> 00:20:44,115 does not... 556 00:20:45,164 --> 00:20:48,446 Do the right thing, essentially and process that 557 00:20:48,582 --> 00:20:50,195 notification in a timely manner 558 00:20:50,569 --> 00:20:53,431 and allow the kernel to continue operate. Right? 559 00:20:53,924 --> 00:20:56,795 Now the worst of all possible scenarios which 560 00:20:56,795 --> 00:20:59,746 we are experiencing right now is if the 561 00:20:59,746 --> 00:21:00,246 kernel 562 00:21:00,942 --> 00:21:04,249 notification callback routine in the developed driver 563 00:21:05,427 --> 00:21:08,464 crashes or it is not able to be 564 00:21:08,464 --> 00:21:09,423 called. Right? 565 00:21:10,462 --> 00:21:13,531 And from our understanding to The colonel 566 00:21:13,905 --> 00:21:15,676 notification callback that was registered 567 00:21:16,050 --> 00:21:17,719 by the crowds strike driver, 568 00:21:18,514 --> 00:21:21,057 called out for it to make a notification, 569 00:21:21,708 --> 00:21:22,208 and 570 00:21:22,583 --> 00:21:25,605 encountered a driver that had bad or missing 571 00:21:25,605 --> 00:21:28,547 coat. And if that immediately causes the Windows 572 00:21:28,547 --> 00:21:29,422 kernel to crash. 573 00:21:30,314 --> 00:21:32,791 By design because it's a destabilizing effect. 574 00:21:33,990 --> 00:21:34,809 And so 575 00:21:35,668 --> 00:21:37,665 it it's a mixture of things that are 576 00:21:37,665 --> 00:21:38,165 going 577 00:21:38,558 --> 00:21:42,616 on here. Right? It's necessary for Ed and 578 00:21:42,696 --> 00:21:44,230 X to receive 579 00:21:44,924 --> 00:21:46,777 telemetry via these kernel callback 580 00:21:47,152 --> 00:21:47,605 notification 581 00:21:48,283 --> 00:21:51,636 registration events, but there's still a danger and 582 00:21:51,636 --> 00:21:54,669 it's very critical that the driver is developed 583 00:21:54,669 --> 00:21:57,079 very carefully to process these events, in a 584 00:21:57,079 --> 00:22:00,515 timely manner and to not destabilize the k. 585 00:22:00,834 --> 00:22:02,352 Right? So this is going to be where 586 00:22:02,352 --> 00:22:05,323 the discussion is and, you know, you can 587 00:22:05,323 --> 00:22:06,279 go further than this, 588 00:22:07,954 --> 00:22:10,208 to understand this is not the only 589 00:22:10,824 --> 00:22:13,750 component of Eds and X. While they are 590 00:22:13,949 --> 00:22:14,449 si 591 00:22:14,825 --> 00:22:18,487 telemetry, those drivers are also interacting with the 592 00:22:18,487 --> 00:22:20,898 service process that's running in user, 593 00:22:21,354 --> 00:22:21,831 typically, 594 00:22:22,484 --> 00:22:22,984 and, 595 00:22:23,524 --> 00:22:25,924 you know, providing that telemetry back to Crowds 596 00:22:25,924 --> 00:22:26,164 strike, 597 00:22:26,724 --> 00:22:27,224 maybe 598 00:22:27,845 --> 00:22:30,005 getting some signature data, that kind of thing. 599 00:22:30,164 --> 00:22:32,180 That that you know, a lot more of 600 00:22:32,180 --> 00:22:35,320 the activity of defending is happening in user. 601 00:22:35,539 --> 00:22:38,099 That kernel driver is typically acting mostly as 602 00:22:38,099 --> 00:22:39,712 a notification facility. Right? 603 00:22:40,507 --> 00:22:42,994 So that... That's what we're seeing here. That's 604 00:22:43,051 --> 00:22:45,992 that's as near as I can understand what 605 00:22:45,992 --> 00:22:46,628 happened. Now... 606 00:22:47,599 --> 00:22:48,079 Our 607 00:22:49,039 --> 00:22:51,039 information, and, I think Matt can put up 608 00:22:51,039 --> 00:22:53,839 a slide on this is that the kernel 609 00:22:53,839 --> 00:22:55,759 driver that was pushed with the update, 610 00:22:56,651 --> 00:22:57,525 got installed, 611 00:22:58,399 --> 00:23:00,942 was in fact full of null characters, which 612 00:23:00,942 --> 00:23:02,157 means that the put 613 00:23:02,849 --> 00:23:05,649 notifications that immediately hit that driver would have 614 00:23:05,649 --> 00:23:06,868 hit essentially 615 00:23:07,726 --> 00:23:08,286 no coat. 616 00:23:09,404 --> 00:23:10,144 And that 617 00:23:10,603 --> 00:23:13,000 absolutely would cause an immediate blue screen of 618 00:23:13,000 --> 00:23:16,226 of, deaf. And, there has been some reverse 619 00:23:16,284 --> 00:23:19,154 engineering that has already occurred to actually support 620 00:23:19,154 --> 00:23:20,828 this. Matt, I wonder if you could put 621 00:23:20,828 --> 00:23:22,519 some of that up can you share your 622 00:23:22,519 --> 00:23:24,679 screen and talk about your your things come? 623 00:23:25,400 --> 00:23:27,079 Yes. I actually just posted the pictures in 624 00:23:27,079 --> 00:23:28,919 our chats through shared? Yep. 625 00:23:30,371 --> 00:23:32,604 So we go to the other picture for 626 00:23:32,604 --> 00:23:33,083 a second. 627 00:23:34,200 --> 00:23:35,635 You'll kinda see that there's already 628 00:23:36,114 --> 00:23:37,868 under the exception code and access violation, which 629 00:23:37,868 --> 00:23:39,636 she's kinda of what Jo with talk about. 630 00:23:40,588 --> 00:23:41,064 But... Yeah. 631 00:23:42,016 --> 00:23:43,841 To you point about the update being full 632 00:23:43,841 --> 00:23:45,666 of Null. What we kinda see right here 633 00:23:45,666 --> 00:23:47,514 was this was paused because 634 00:23:47,903 --> 00:23:50,611 as Josh mentioned that Arnold was expecting something. 635 00:23:51,408 --> 00:23:51,908 And 636 00:23:52,603 --> 00:23:54,514 by doing... I wanna stress a little bit 637 00:23:54,514 --> 00:23:56,107 of research and a little bit of digging 638 00:23:56,107 --> 00:23:56,426 before this, 639 00:23:57,399 --> 00:23:58,858 it looks like it was expecting 640 00:23:59,317 --> 00:24:01,474 an actual unit code structure of an address, 641 00:24:02,114 --> 00:24:05,070 rather it got back this error code. And 642 00:24:05,070 --> 00:24:06,783 because of that, it crashed 643 00:24:07,399 --> 00:24:09,472 because obviously, the update was full of Null 644 00:24:09,472 --> 00:24:12,183 and didn't have any routines or functions. So 645 00:24:12,183 --> 00:24:14,575 that way, it didn't return valid result. 646 00:24:15,226 --> 00:24:18,403 Causing this screen? Yeah. Just just to put 647 00:24:18,403 --> 00:24:21,024 a finer point on that, when you see 648 00:24:21,024 --> 00:24:24,414 an exception that is access violation in Windows 649 00:24:24,534 --> 00:24:26,518 what that typically means is and I see 650 00:24:26,518 --> 00:24:27,946 these all the time because I spend life 651 00:24:27,946 --> 00:24:28,661 in a debug. 652 00:24:29,216 --> 00:24:32,565 What that typically means is that what A 653 00:24:32,565 --> 00:24:35,742 register in the Cpu has received an address 654 00:24:35,742 --> 00:24:37,728 with all zeros in it, it has tried 655 00:24:37,728 --> 00:24:39,872 to fetch memory at that address. 656 00:24:40,444 --> 00:24:43,311 And that is by definition and access violation 657 00:24:43,311 --> 00:24:46,418 because there is no address of 00000, 658 00:24:46,578 --> 00:24:47,056 whatever. Right? 659 00:24:48,509 --> 00:24:50,429 And this level. Just to be clear, there 660 00:24:50,429 --> 00:24:52,750 is no structured exception handling. Like, when you're 661 00:24:52,750 --> 00:24:53,890 working if there's no 662 00:24:54,349 --> 00:24:56,589 Not There is no recovery. Like... Or it's 663 00:24:56,589 --> 00:24:58,596 no recovery colonel, there is no such thing 664 00:24:58,596 --> 00:25:01,619 it's structured exception handling coming. Yeah. It's just 665 00:25:01,619 --> 00:25:04,140 not not a thing at all. So the 666 00:25:04,339 --> 00:25:06,339 gotcha which is why Microsoft is so kind 667 00:25:06,339 --> 00:25:08,579 of always been cautious about letting third parties, 668 00:25:09,619 --> 00:25:10,420 develop drivers, 669 00:25:10,900 --> 00:25:11,859 especially for this reason. 670 00:25:12,434 --> 00:25:13,790 When you see this a lot with, you 671 00:25:13,790 --> 00:25:15,864 know, in the gaming industry, especially the graphic 672 00:25:15,864 --> 00:25:18,097 card drivers and stuff, 1 small thing crashes 673 00:25:18,097 --> 00:25:19,612 a computer, and all of a sudden, if 674 00:25:19,612 --> 00:25:21,766 your code is introducing that variance. 675 00:25:22,499 --> 00:25:24,653 Send you a large player basic cannot play 676 00:25:24,653 --> 00:25:25,849 and your game is dead in the water. 677 00:25:26,169 --> 00:25:27,365 But what I actually wanted to kinda of 678 00:25:27,365 --> 00:25:28,642 show is that second picture now, 679 00:25:29,614 --> 00:25:31,449 which kind of let me down, there must 680 00:25:31,449 --> 00:25:32,964 be some kind of issue with it. If 681 00:25:32,964 --> 00:25:35,676 you see it under fail bucket Id. This 682 00:25:35,676 --> 00:25:37,989 unknown function because of that structure, it was 683 00:25:37,989 --> 00:25:40,312 supposed to jump to an address. To continue 684 00:25:40,312 --> 00:25:42,297 on the code. But because it was full 685 00:25:42,297 --> 00:25:44,202 of zeros and it returned to Null, it 686 00:25:44,202 --> 00:25:45,654 actually changed and caused 687 00:25:46,266 --> 00:25:48,743 to jump to an unknown address so far, 688 00:25:48,903 --> 00:25:50,099 this is what I've been able to blow, 689 00:25:50,418 --> 00:25:52,013 and that's actually been part of the root 690 00:25:52,013 --> 00:25:52,811 cause of this crash. 691 00:25:53,688 --> 00:25:53,768 Right. 692 00:25:54,645 --> 00:25:56,639 And so the only way to recover from 693 00:25:56,639 --> 00:25:58,885 a situation where you have a bad driver 694 00:25:58,885 --> 00:26:02,067 in the kernel that already has pre existing 695 00:26:02,067 --> 00:26:04,453 callbacks in a running system. You've gotta remember 696 00:26:04,453 --> 00:26:04,953 that 697 00:26:05,264 --> 00:26:08,058 the driver itself was written over, 698 00:26:08,776 --> 00:26:11,410 but the pre existing callback already in the 699 00:26:11,410 --> 00:26:13,486 callback tables. And so as soon as that 700 00:26:13,486 --> 00:26:13,940 first 701 00:26:14,537 --> 00:26:17,428 notification callback went to the new driver 702 00:26:17,964 --> 00:26:19,558 immediate screen. Right? Mh. 703 00:26:20,834 --> 00:26:21,732 The remedy 704 00:26:22,203 --> 00:26:24,027 is remove the bad driver. 705 00:26:24,741 --> 00:26:25,772 Okay? So that, 706 00:26:26,645 --> 00:26:29,580 crowds strikes user code then once it boots 707 00:26:29,580 --> 00:26:30,080 up 708 00:26:30,626 --> 00:26:32,952 Presumably, I don't notice for a fact, but 709 00:26:33,167 --> 00:26:35,549 other crowds abstract customers probably know this. The 710 00:26:35,549 --> 00:26:38,249 user level code would reach out for a 711 00:26:38,249 --> 00:26:39,123 new update. 712 00:26:40,170 --> 00:26:40,670 And 713 00:26:41,282 --> 00:26:43,267 as I understand it right now, Crowds strike 714 00:26:43,267 --> 00:26:44,323 has the corrected 715 00:26:44,696 --> 00:26:47,078 patched version of the driver again you'll continue 716 00:26:47,078 --> 00:26:48,609 on your way. Right. So I wanna ask 717 00:26:48,609 --> 00:26:50,690 you guys a little bit about load order. 718 00:26:50,929 --> 00:26:53,170 Right? So it sounds like the majority of 719 00:26:53,170 --> 00:26:55,170 the Windows kernel fires up, but 720 00:26:56,381 --> 00:26:59,012 But we're not getting network stacks going enough 721 00:26:59,012 --> 00:27:01,165 to be able to go to crowds stretch 722 00:27:01,165 --> 00:27:02,999 to pull this off. Tried doing the 15 723 00:27:02,999 --> 00:27:03,956 reboot trick. Right? 724 00:27:04,768 --> 00:27:06,680 It seems to me like, this is, like, 725 00:27:06,839 --> 00:27:10,025 where the where these drivers load. Yeah. 726 00:27:11,379 --> 00:27:13,664 Is actually before the network stack 727 00:27:14,577 --> 00:27:17,037 It is that you you will not get 728 00:27:17,037 --> 00:27:19,577 a stable kernel with this bad driver in 729 00:27:19,577 --> 00:27:21,957 place. I mean, in my opinion, Matt, Go 730 00:27:21,957 --> 00:27:24,450 ahead. Well, so obviously, when we look at 731 00:27:24,450 --> 00:27:26,450 an Ed, we think about it, they wanna 732 00:27:26,450 --> 00:27:28,049 know what it's going across the wire as 733 00:27:28,049 --> 00:27:30,210 well as what's going quickly across... Well that 734 00:27:30,210 --> 00:27:32,140 boot. Process. Right? So they put... They're kind 735 00:27:32,140 --> 00:27:33,896 of putting themselves at a higher priority to 736 00:27:33,896 --> 00:27:35,971 be loaded first over the network stack. And 737 00:27:35,971 --> 00:27:37,886 that's kind of where this problem of, you 738 00:27:37,886 --> 00:27:39,969 know, process You even it on a reboot, 739 00:27:40,128 --> 00:27:41,717 it's not getting the update is because by 740 00:27:41,717 --> 00:27:44,655 the time, network stack gets called. The crowds 741 00:27:44,735 --> 00:27:46,561 D or... So the crowds drivers already. 742 00:27:47,372 --> 00:27:50,156 Loaded and it crashes. Right? And if it's 743 00:27:50,156 --> 00:27:52,144 a driver full of null, it'll crash as 744 00:27:52,144 --> 00:27:53,815 soon as it loads, tries to load that 745 00:27:53,815 --> 00:27:54,727 drive driver So you're 746 00:27:55,496 --> 00:27:56,687 I think we've said it a lot, but 747 00:27:56,846 --> 00:27:58,353 I think the most interesting part of this 748 00:27:58,353 --> 00:28:01,766 whole takeaway is a driver update full of 749 00:28:01,766 --> 00:28:04,009 null. Driver. That's what I keep going back 750 00:28:04,009 --> 00:28:06,561 to. This doesn't seem like a developer screwed 751 00:28:06,561 --> 00:28:09,431 up and writing their code poorly. This almost 752 00:28:09,431 --> 00:28:12,337 feels like the file was corrupted. Or something 753 00:28:12,394 --> 00:28:15,019 something something in there. I've I've heard a 754 00:28:15,019 --> 00:28:16,770 lot of mixed things about people saying that 755 00:28:16,770 --> 00:28:18,839 if it's Ai generated. I don't believe that 756 00:28:18,998 --> 00:28:21,003 I think... What other what not from what 757 00:28:21,083 --> 00:28:22,676 I'm hearing, this is not a file that 758 00:28:22,835 --> 00:28:25,464 Ai generates automatically. That's... And I and like 759 00:28:25,544 --> 00:28:27,376 I said, the people, like, if we're talking 760 00:28:27,455 --> 00:28:29,128 Mike, or you stay ready on Twitter. 761 00:28:30,496 --> 00:28:32,320 Mike knows this stuff really well from a 762 00:28:32,320 --> 00:28:34,462 crowds perspective use to work there did all 763 00:28:34,462 --> 00:28:36,366 kinds of research for B his. He's not 764 00:28:36,366 --> 00:28:36,921 trusted Sec. 765 00:28:37,894 --> 00:28:39,894 It it's not Ai generated. As near as 766 00:28:39,974 --> 00:28:42,134 I can tell. No. But something in that 767 00:28:42,295 --> 00:28:45,346 Qa process obviously went a aw. For this 768 00:28:45,346 --> 00:28:47,575 file ended up with Null in it. Right? 769 00:28:47,814 --> 00:28:49,564 These things happen, I mean, I recently just 770 00:28:49,564 --> 00:28:51,554 upgraded my whole home infrastructure. I got the, 771 00:28:51,633 --> 00:28:53,544 you know, dream machine pro. And when I 772 00:28:53,544 --> 00:28:55,393 plugged it in, had did you an update? 773 00:28:55,793 --> 00:28:57,310 The update corrupted the whole os ass. I 774 00:28:57,310 --> 00:28:58,829 had to, you know, ref flash the entire 775 00:28:58,829 --> 00:29:00,826 thing. It's not unheard of, but I just 776 00:29:00,826 --> 00:29:03,552 think it was some kind of secured, you 777 00:29:03,552 --> 00:29:06,019 know, safety check before it went light. Yeah. 778 00:29:06,178 --> 00:29:07,292 And we have a lot of people saying 779 00:29:07,292 --> 00:29:09,282 well, someone f up the code. I really 780 00:29:09,282 --> 00:29:10,635 don't think the code was left up. I 781 00:29:10,635 --> 00:29:12,585 think it's the build process. So the Ci 782 00:29:12,805 --> 00:29:13,865 pipeline somewhere 783 00:29:14,884 --> 00:29:16,325 between point a to point z. Like I 784 00:29:16,325 --> 00:29:18,085 said, this doesn't look like hands on keyboard, 785 00:29:18,325 --> 00:29:20,325 Oops c's, I used gets at. Get ass. 786 00:29:20,565 --> 00:29:23,456 It's like... So way, like, more basic than 787 00:29:23,456 --> 00:29:25,054 that. Like it... It's definitely an Oops c's. 788 00:29:25,294 --> 00:29:28,190 Right? But it's not poor code development, 789 00:29:28,584 --> 00:29:30,738 yes no No 1 forgot comma sort to 790 00:29:30,738 --> 00:29:32,733 speak. And is... So I got I got 791 00:29:32,733 --> 00:29:34,089 hand it over to John. John has to 792 00:29:34,089 --> 00:29:35,685 jump off. John, do you have anything else 793 00:29:35,685 --> 00:29:36,975 to ask add because by the way I 794 00:29:36,975 --> 00:29:38,410 wanna say thank you so much for giving 795 00:29:38,410 --> 00:29:40,561 30 minutes of your time today. I know 796 00:29:40,561 --> 00:29:42,075 that you're gonna be real busy. You've been 797 00:29:42,075 --> 00:29:44,317 up all night, and we've appreciate you coming 798 00:29:44,317 --> 00:29:45,746 on. Is there anything that you gotta say 799 00:29:45,746 --> 00:29:47,729 before you have to jump off though. Oh, 800 00:29:47,888 --> 00:29:49,871 goodness. Well, hey, I don't think so. Thank 801 00:29:49,871 --> 00:29:51,299 you so much for letting me be here 802 00:29:51,299 --> 00:29:51,696 with you all. 803 00:29:52,349 --> 00:29:54,849 It's kinda interesting to think on and speculate 804 00:29:54,910 --> 00:29:57,070 as to, okay, What were the root cause 805 00:29:57,070 --> 00:29:58,529 or what are these 806 00:29:59,070 --> 00:30:00,670 impacts and things as it's unfolding, 807 00:30:01,324 --> 00:30:02,039 at the end of the day, 808 00:30:02,753 --> 00:30:04,978 I think I would offer, you know, just 809 00:30:04,978 --> 00:30:07,599 a gentle reminder, than the other side across 810 00:30:07,599 --> 00:30:09,982 the screen. It's still another person. So big 811 00:30:09,982 --> 00:30:10,959 hug ops to 812 00:30:11,268 --> 00:30:13,655 crowds strike or fight fires, the best that 813 00:30:13,655 --> 00:30:15,643 they can, and everyone that is going to 814 00:30:15,643 --> 00:30:17,893 be doing this slowly in recovery and 815 00:30:18,203 --> 00:30:20,107 efforts. You know what it's still it's still 816 00:30:20,107 --> 00:30:21,455 all of us in the same fight. So 817 00:30:21,773 --> 00:30:23,518 we'll be there to. Also, I wanna throw 818 00:30:23,518 --> 00:30:25,422 a shout out to Hunters for not taking 819 00:30:25,422 --> 00:30:27,423 advantage and, like trump to do marketing and 820 00:30:27,423 --> 00:30:29,252 saying, look, Crowds sucks were, 821 00:30:30,207 --> 00:30:31,877 because there are vendors that are doing that. 822 00:30:32,037 --> 00:30:34,679 And by the way, trying don't don't party 823 00:30:34,679 --> 00:30:36,353 with those people. Right? We just don't wanna 824 00:30:36,353 --> 00:30:38,825 party with those 8 holes. So be sure 825 00:30:38,825 --> 00:30:40,100 to check it out. Also, I'd like to 826 00:30:40,100 --> 00:30:41,947 point out Hunter has a neighborhood walk program, 827 00:30:42,027 --> 00:30:43,617 if you wanna give things a try and 828 00:30:43,617 --> 00:30:45,286 play with it, and John is on Youtube 829 00:30:45,286 --> 00:30:46,819 as all of you know because 830 00:30:47,353 --> 00:30:49,474 you're probably all here because of him. So 831 00:30:49,594 --> 00:30:51,105 Thank so much, Dude. Get out of here 832 00:30:51,105 --> 00:30:52,298 and get back to your day and and 833 00:30:52,298 --> 00:30:54,367 good luck and happy hunting. Thanks, all. See 834 00:30:54,367 --> 00:30:54,764 you soon. 835 00:30:56,849 --> 00:30:59,086 Does see where jeff black Jason's got some 836 00:30:59,086 --> 00:31:01,084 questions. Go ahead. My question is, how do 837 00:31:01,163 --> 00:31:02,143 I explain this 838 00:31:02,682 --> 00:31:03,960 to regular people? 839 00:31:04,534 --> 00:31:05,012 What happened? 840 00:31:05,650 --> 00:31:06,925 Honestly, I would just say it was a 841 00:31:06,925 --> 00:31:10,194 bad update that corrupted the operating system. Yeah. 842 00:31:10,912 --> 00:31:12,426 Antivirus works at a very low level in 843 00:31:12,426 --> 00:31:15,077 your in your cute, antivirus screwed up, like, 844 00:31:15,237 --> 00:31:16,995 something happened with it, and it broke it. 845 00:31:17,635 --> 00:31:19,233 That's that's how I would try to describe 846 00:31:19,233 --> 00:31:20,512 it to friends and family. To be honest. 847 00:31:20,672 --> 00:31:21,870 I don't know anybody else has a better 848 00:31:21,870 --> 00:31:24,438 analogy. Know, I I think that's probably the 849 00:31:24,438 --> 00:31:26,771 easiest way to explain it, but what what's 850 00:31:26,989 --> 00:31:30,838 what's I'm interested in following now is, 851 00:31:31,215 --> 00:31:32,450 you How exactly 852 00:31:33,150 --> 00:31:35,490 Microsoft's gonna respond to the developer 853 00:31:36,029 --> 00:31:38,509 community and to all of the X Ed 854 00:31:38,509 --> 00:31:40,109 and defensive product community? 855 00:31:40,523 --> 00:31:41,397 In terms of, 856 00:31:43,067 --> 00:31:46,007 ideas for putting guard rails, more guard rails 857 00:31:46,007 --> 00:31:48,392 around the tunnel without pissing them off. Right? 858 00:31:50,080 --> 00:31:51,680 I think it's going to get to be 859 00:31:51,680 --> 00:31:52,740 a very interesting 860 00:31:53,120 --> 00:31:55,920 conversation because, you know, frankly in a in 861 00:31:55,920 --> 00:31:56,799 a perfect world, 862 00:31:57,600 --> 00:31:58,340 this shouldn't 863 00:31:58,972 --> 00:32:01,044 shouldn't be allowed to happen. Right? And and 864 00:32:01,044 --> 00:32:03,137 you know, we we'd rather not 865 00:32:03,752 --> 00:32:06,483 see an entire operating system destabilize 866 00:32:06,939 --> 00:32:07,837 by a single 867 00:32:08,309 --> 00:32:09,845 Kernel driver, I also 868 00:32:10,542 --> 00:32:12,775 worry greatly in our community and have for 869 00:32:12,775 --> 00:32:14,231 a long time actually 870 00:32:14,768 --> 00:32:17,161 that the kernel driver supply chain, 871 00:32:17,733 --> 00:32:19,581 is an extremely vulnerable 872 00:32:20,113 --> 00:32:21,485 and highly trusted 873 00:32:22,017 --> 00:32:25,608 part of well everyday It operation that's very 874 00:32:25,608 --> 00:32:27,366 certainly because of the compromise that happened all 875 00:32:27,366 --> 00:32:29,124 the way back at Windows Vista. Right? Yeah. 876 00:32:29,284 --> 00:32:30,962 You either let third party vendors into the 877 00:32:31,042 --> 00:32:33,060 Colonel or you would let them out. And 878 00:32:33,533 --> 00:32:35,525 Seriously, I think that Microsoft as much as 879 00:32:35,525 --> 00:32:37,516 they were being, you know, very, very, very 880 00:32:37,516 --> 00:32:39,747 mono in trying to lock vendors out of 881 00:32:39,747 --> 00:32:42,311 the colonel. There was some damn valid reasons. 882 00:32:42,949 --> 00:32:44,780 Yeah. To keep them out of it as 883 00:32:44,780 --> 00:32:47,170 well. Well, those of us who lived through 884 00:32:47,170 --> 00:32:49,321 that period of time. We remember back in... 885 00:32:49,734 --> 00:32:52,315 You know, Windows Xp days just how 886 00:32:52,615 --> 00:32:54,394 unstable the kernel would get 887 00:32:54,855 --> 00:32:56,855 when you put lay it on some of 888 00:32:56,855 --> 00:32:58,615 these products. And the reason was they were 889 00:32:58,615 --> 00:33:02,143 hooking colonel tables, and sometimes they messed it 890 00:33:02,143 --> 00:33:02,303 up. 891 00:33:03,021 --> 00:33:03,181 Know, 892 00:33:03,900 --> 00:33:05,975 and it's... You know. I I wasn't in 893 00:33:06,055 --> 00:33:07,811 It or anything like that years ago, and 894 00:33:07,891 --> 00:33:10,052 I remember how alt my computer crashed all 895 00:33:10,052 --> 00:33:11,399 the time. It, like the blue screen all 896 00:33:11,399 --> 00:33:12,587 the time, and then at some point it's 897 00:33:12,587 --> 00:33:15,598 stopping being blue screen. Probably around SP2. 898 00:33:15,836 --> 00:33:17,844 And Yeah. So if you're looking at Windows 899 00:33:17,844 --> 00:33:19,519 xp, if we're looking at what protections were 900 00:33:19,519 --> 00:33:21,273 put in place, it used to be pre 901 00:33:21,513 --> 00:33:24,225 Sp 2 on Xp that any application could 902 00:33:24,225 --> 00:33:25,921 access any region of memory 903 00:33:27,113 --> 00:33:29,031 anywhere else in memory. So you had a 904 00:33:29,031 --> 00:33:30,789 lot of things like video game trainers that 905 00:33:30,789 --> 00:33:33,426 could actually hook right into another process memory 906 00:33:33,426 --> 00:33:34,785 and start changing it that could mess with 907 00:33:34,785 --> 00:33:35,105 the kernel. 908 00:33:35,758 --> 00:33:37,592 Sp 2, they started putting in protections to 909 00:33:37,592 --> 00:33:39,665 try to shut that down. When Vista came 910 00:33:39,665 --> 00:33:41,978 out, Microsoft shutting it down completely and like 911 00:33:41,978 --> 00:33:44,210 what Jo talked about is that compromise. Right? 912 00:33:44,544 --> 00:33:47,322 So you probably did notice things getting more 913 00:33:47,322 --> 00:33:47,640 stable, 914 00:33:48,593 --> 00:33:51,212 and more secure. But now kind of, like, 915 00:33:51,292 --> 00:33:53,118 an open question, I'd love to get people 916 00:33:53,118 --> 00:33:55,049 a disc... Their opinion on this too. 917 00:33:55,769 --> 00:33:56,889 Do you think that this is gonna push 918 00:33:57,289 --> 00:33:59,289 Microsoft to shut this down even further. 919 00:34:00,329 --> 00:34:02,345 I scored I have my hot take is 920 00:34:02,345 --> 00:34:04,264 that this is definitely gonna start a conversation. 921 00:34:05,065 --> 00:34:07,544 You know, Microsoft. I I mean, Microsoft... I'm 922 00:34:07,544 --> 00:34:09,554 not... Microsoft does not like me, so I'm 923 00:34:09,554 --> 00:34:11,064 gonna try to be as blood as I 924 00:34:11,064 --> 00:34:13,051 can be, but have their what we do 925 00:34:13,051 --> 00:34:14,163 here. Right? So... 926 00:34:14,878 --> 00:34:16,483 But they have their own product to in 927 00:34:16,483 --> 00:34:18,391 the space and Ed, and it doesn't really, 928 00:34:18,630 --> 00:34:21,493 like, what Josh describes because they built the 929 00:34:21,572 --> 00:34:23,402 Os, they have their own ability to kind 930 00:34:23,402 --> 00:34:25,982 of built their own in kind of methods 931 00:34:26,037 --> 00:34:27,782 inside there to get the same level telemetry 932 00:34:27,782 --> 00:34:29,131 for the kernel without having to hook it. 933 00:34:30,083 --> 00:34:31,114 So they are, you know, 934 00:34:32,002 --> 00:34:34,543 ahead of kind of. They are, and they're 935 00:34:34,543 --> 00:34:36,529 competing with a market space. Here. 936 00:34:37,244 --> 00:34:38,991 I think this gives them enough fire to 937 00:34:38,991 --> 00:34:40,818 kind of say, maybe we need to revamp 938 00:34:40,818 --> 00:34:43,219 this pulse. See, and so pushed people out. 939 00:34:43,537 --> 00:34:44,970 I mean, I wouldn't see that happen because 940 00:34:45,049 --> 00:34:46,800 I wouldn't work eyes because all of a 941 00:34:46,800 --> 00:34:48,550 sudden, their products gonna start looking a lot 942 00:34:48,550 --> 00:34:50,380 more interesting and a lot more accurate. 943 00:34:50,794 --> 00:34:52,069 Or do you think that they're gonna do 944 00:34:52,069 --> 00:34:53,823 something like if you're crowds striker or another 945 00:34:53,823 --> 00:34:55,258 vendor, you're gonna have to hook to Amc? 946 00:34:55,736 --> 00:34:57,490 And it's like this is what you look 947 00:34:57,490 --> 00:34:59,085 into? No. I... You know, I'd like to 948 00:34:59,085 --> 00:35:00,370 see what I would like to see and 949 00:35:00,370 --> 00:35:02,117 if I were at Microsoft right now, I 950 00:35:02,117 --> 00:35:04,499 would be advocating for this, I would like 951 00:35:04,499 --> 00:35:06,723 to see a kernel Api developed. 952 00:35:07,531 --> 00:35:11,361 That had a series of driver integrity checks 953 00:35:11,654 --> 00:35:14,270 built into it for every driver load, kind 954 00:35:14,270 --> 00:35:14,880 of like 955 00:35:15,317 --> 00:35:18,418 live dynamic qa as the system booted. Do 956 00:35:18,418 --> 00:35:20,009 that. But that is definitely gonna be a 957 00:35:20,009 --> 00:35:20,804 performance hit. Right? 958 00:35:21,679 --> 00:35:24,564 No Do you want that? But but 959 00:35:25,592 --> 00:35:27,427 Only on boot if they could pull it 960 00:35:27,427 --> 00:35:29,661 off that the integrity checks are only on 961 00:35:29,661 --> 00:35:31,735 there's a chance for the system to recover. 962 00:35:32,388 --> 00:35:33,605 Correct. Oh, 963 00:35:34,459 --> 00:35:34,698 okay. 964 00:35:35,654 --> 00:35:38,282 But that's that's what I... You know, I 965 00:35:38,282 --> 00:35:40,751 think is kind of a responsible middle ground 966 00:35:40,751 --> 00:35:44,178 here. To maintain the telemetry that the vendors 967 00:35:44,178 --> 00:35:47,668 need, but also introduce additional safeguards in the 968 00:35:47,668 --> 00:35:48,802 driver load process 969 00:35:49,829 --> 00:35:52,150 so that potentially these things would not happen. 970 00:35:52,469 --> 00:35:54,389 Right? That's interesting. Yes, Jason. 971 00:35:56,724 --> 00:35:57,464 Your muted 972 00:35:58,083 --> 00:35:59,441 your mute. But I'm glad you raised your 973 00:35:59,441 --> 00:36:02,078 hand. Why does stream work? Youtube work, 974 00:36:02,877 --> 00:36:04,395 discord work and all these other things work 975 00:36:04,395 --> 00:36:05,708 right now. Linux 976 00:36:06,083 --> 00:36:06,481 Linux. 977 00:36:07,197 --> 00:36:08,231 Yeah. Linux. 978 00:36:08,788 --> 00:36:11,175 Well, or any uni may stop operating. Yeah. 979 00:36:11,413 --> 00:36:13,322 Just be glad that this doesn't bring down 980 00:36:13,322 --> 00:36:15,558 all the Linux... Server. And Very different. Yeah. 981 00:36:15,875 --> 00:36:17,935 Let's let's answer that question a little bit 982 00:36:17,935 --> 00:36:19,995 different. Right? If we're looking at Crowds strike 983 00:36:20,074 --> 00:36:23,293 Foul, Falcon server The vast majority like overwhelming 984 00:36:23,350 --> 00:36:26,059 majority of Falcon instances are endpoints like people 985 00:36:26,059 --> 00:36:28,528 sitting down working at their computers. When you're 986 00:36:28,528 --> 00:36:30,441 looking at a lot of server infrastructure, 987 00:36:31,172 --> 00:36:33,955 that's actually running the Internet. Right? A lot 988 00:36:33,955 --> 00:36:35,625 of that is running on Linux. 989 00:36:36,182 --> 00:36:38,408 And if it is running Windows, a lot 990 00:36:38,408 --> 00:36:40,237 of that server infrastructure, which we don't see 991 00:36:40,237 --> 00:36:42,558 as mock for, like, these types of services, 992 00:36:43,194 --> 00:36:45,579 it isn't gonna be running Crowds strike. In 993 00:36:45,579 --> 00:36:47,806 those, like, those critical services that are out 994 00:36:47,806 --> 00:36:48,703 there. So 995 00:36:49,013 --> 00:36:51,154 that's generally why we're not seeing things go 996 00:36:51,154 --> 00:36:53,693 down at that level. Now. What's going on 997 00:36:53,693 --> 00:36:56,390 with the Faa and everything else, my guess 998 00:36:56,390 --> 00:36:56,890 is 999 00:36:57,199 --> 00:36:59,936 that the core infrastructure for banking, the core 1000 00:36:59,996 --> 00:37:02,393 infrastructure for airlines, the core infrastructure for a 1001 00:37:02,393 --> 00:37:04,570 lot of things is just fine 1002 00:37:05,043 --> 00:37:07,509 but the systems that the people use to 1003 00:37:07,509 --> 00:37:10,713 run those apps, those critical services every day 1004 00:37:10,770 --> 00:37:11,327 are down. 1005 00:37:11,900 --> 00:37:13,896 Sort of the people can't monitor if the 1006 00:37:13,896 --> 00:37:16,293 people can't maintain if the people can't poke 1007 00:37:16,293 --> 00:37:17,092 into those things, 1008 00:37:17,651 --> 00:37:19,581 then you've got stop airplane. Then you've got 1009 00:37:19,581 --> 00:37:21,971 to stop financial transactions, then you've gotta stop 1010 00:37:21,971 --> 00:37:23,724 these things from progressing. 1011 00:37:24,281 --> 00:37:26,432 So, yes, there are absolutely servers that are 1012 00:37:26,432 --> 00:37:29,074 windows servers that are running crowds that is 1013 00:37:29,074 --> 00:37:31,460 in fact, the thing. But in our experience 1014 00:37:31,460 --> 00:37:34,958 in testing, it is exceedingly rare for a 1015 00:37:34,958 --> 00:37:37,582 very high like, like high fidelity, 1016 00:37:38,154 --> 00:37:38,973 high availability, 1017 00:37:39,511 --> 00:37:41,427 high bandwidth service to be running on a 1018 00:37:41,427 --> 00:37:43,422 windows system with A falcon on it. And 1019 00:37:43,422 --> 00:37:45,179 by the way, Microsoft, if you listen to 1020 00:37:45,179 --> 00:37:47,015 my idea, you can write me a large, 1021 00:37:47,189 --> 00:37:49,333 check. I will... I will definitely fully accept 1022 00:37:49,333 --> 00:37:51,954 that. Oh, somebody just said, so should I 1023 00:37:51,954 --> 00:37:54,416 reboot my computer 15 times? I'm seeing that? 1024 00:37:55,704 --> 00:37:57,460 Seeing people that have gotten up to 20 1025 00:37:57,460 --> 00:37:58,338 and it hasn't worked. 1026 00:37:59,855 --> 00:38:01,212 So it you can do it if you're 1027 00:38:01,212 --> 00:38:01,931 real desperate. 1028 00:38:02,569 --> 00:38:03,766 The other thing that I wanna talk about 1029 00:38:03,926 --> 00:38:05,619 I wanna take a pivot, from what's going 1030 00:38:05,619 --> 00:38:06,178 on here, 1031 00:38:07,057 --> 00:38:08,815 from a technical under the hood perspective, and 1032 00:38:08,815 --> 00:38:10,813 let's let's take a step out. You're now 1033 00:38:10,813 --> 00:38:13,630 an enterprise, you're an analyst, your a cis 1034 00:38:14,342 --> 00:38:16,253 Okay. This is great. How it actually impacted 1035 00:38:16,253 --> 00:38:18,242 the colonel, where the virus hooked into the 1036 00:38:18,242 --> 00:38:20,550 colonel? That's all fine. That's all good. How 1037 00:38:20,550 --> 00:38:21,346 do I recover? 1038 00:38:21,918 --> 00:38:24,065 And right now there is... 1039 00:38:24,701 --> 00:38:25,917 I'm I'm gonna tell you 1040 00:38:26,291 --> 00:38:28,302 right out the gate that recovery 1041 00:38:28,836 --> 00:38:29,552 is bleak. 1042 00:38:30,919 --> 00:38:33,963 So right now, the recovery officially from Crowds 1043 00:38:34,020 --> 00:38:36,247 is you have to physically log in to 1044 00:38:36,247 --> 00:38:38,632 a workstation as administrator, which I'm gonna come 1045 00:38:38,632 --> 00:38:40,317 back to here in just a couple seconds. 1046 00:38:40,795 --> 00:38:43,260 You have to boot the system into safe 1047 00:38:43,260 --> 00:38:43,420 mode. 1048 00:38:44,454 --> 00:38:46,974 Then you have to delete a file seconds 1049 00:38:47,412 --> 00:38:49,241 and reboot it, and it will come back. 1050 00:38:49,956 --> 00:38:50,456 That 1051 00:38:50,831 --> 00:38:53,296 is like 4 or 5 sentences, that sounds 1052 00:38:53,296 --> 00:38:55,921 easy. Here's the instructions. Boot into safe mode 1053 00:38:55,921 --> 00:38:58,560 navigate to the drivers Crowds strike directory, 1054 00:38:59,276 --> 00:39:01,026 locate the Sis files, delete it, 1055 00:39:02,140 --> 00:39:03,572 reboot it, and then you're back. 1056 00:39:04,223 --> 00:39:06,690 So you're seeing on Reddit and you're seeing 1057 00:39:06,690 --> 00:39:09,714 on some people in Twitter, where they're talking 1058 00:39:09,714 --> 00:39:11,624 about it in terms of they have a 1059 00:39:11,624 --> 00:39:13,057 hundred thousand notes. 1060 00:39:13,789 --> 00:39:16,769 And best case scenario this takes 5 minutes 1061 00:39:16,829 --> 00:39:17,809 per node 1062 00:39:18,269 --> 00:39:18,750 to do. 1063 00:39:19,309 --> 00:39:22,030 That is a ridiculous amount of time. 1064 00:39:23,003 --> 00:39:24,758 To be able to go through and reboot 1065 00:39:24,758 --> 00:39:27,072 all of those systems manually. Jason, you had 1066 00:39:27,072 --> 00:39:29,146 a question, Does this include people that work 1067 00:39:29,146 --> 00:39:31,625 from home? Yes. But include people that work 1068 00:39:31,625 --> 00:39:31,942 from home. 1069 00:39:32,657 --> 00:39:35,434 So worst case scenario for desktop support teams 1070 00:39:35,434 --> 00:39:38,151 is they're sending instructions to people. On how 1071 00:39:38,151 --> 00:39:41,201 to move their computer into safe boot or 1072 00:39:41,258 --> 00:39:43,887 just out new laptop. But but if you 1073 00:39:43,887 --> 00:39:44,387 can't 1074 00:39:44,938 --> 00:39:47,726 use your computer to get that information? Then 1075 00:39:47,726 --> 00:39:49,159 how are you getting the information to fix 1076 00:39:49,159 --> 00:39:51,628 the computer? There there we go circular firing 1077 00:39:51,628 --> 00:39:53,301 squad. Yeah. And by the way, 1078 00:39:53,954 --> 00:39:55,251 Jason, it gets worse 1079 00:39:55,629 --> 00:39:57,783 because a lot of organizations have been told 1080 00:39:57,783 --> 00:40:00,416 to put hard drive encryption on their computer 1081 00:40:00,416 --> 00:40:00,735 system. 1082 00:40:01,547 --> 00:40:03,698 And using like Bitlocker or something like that. 1083 00:40:05,132 --> 00:40:06,964 You can't even boot it. And these kinds 1084 00:40:06,964 --> 00:40:08,971 of massive problems it. Know, was a totally 1085 00:40:08,971 --> 00:40:10,565 different problem back in the day, but I 1086 00:40:10,565 --> 00:40:13,512 remember when the the seed files were stolen 1087 00:40:13,512 --> 00:40:16,141 for our pay. That's right. And, you know, 1088 00:40:16,380 --> 00:40:18,150 I worked for a large company at... And 1089 00:40:18,150 --> 00:40:19,769 we had a hundred and 50000 1090 00:40:19,829 --> 00:40:21,910 employees that need your new Rsa tokens. So... 1091 00:40:22,630 --> 00:40:24,949 Remember, Rsa didn't replace those tokens for a 1092 00:40:24,949 --> 00:40:26,710 bunch of their customers. They didn't renew because 1093 00:40:26,710 --> 00:40:27,679 you're were out. Shipyard, 1094 00:40:28,076 --> 00:40:29,583 and it was Dod. Yeah. 1095 00:40:30,456 --> 00:40:34,159 So that deal. That sucks. Yeah. So 1096 00:40:34,678 --> 00:40:36,832 Ryan, can you share the thing I just 1097 00:40:36,832 --> 00:40:38,986 shot you about bypassing bit defender? 1098 00:40:40,263 --> 00:40:42,747 Or sorry, Bit bitlocker? So bit bitlocker, 1099 00:40:43,224 --> 00:40:45,131 this is opposed by what is it S 1100 00:40:45,290 --> 00:40:45,608 Cali, 1101 00:40:46,641 --> 00:40:49,184 that you can cycle through B to you 1102 00:40:49,184 --> 00:40:52,547 get a recovery screen. Navigate to troubleshoot advanced 1103 00:40:52,547 --> 00:40:55,344 option start setting, restarts, skip the bitlocker first 1104 00:40:55,344 --> 00:40:58,621 and second attempt. Navigate back to troubleshoot advanced 1105 00:40:58,621 --> 00:41:01,029 options command prompt, Bc at its set default 1106 00:41:01,029 --> 00:41:01,906 minimal safe boot. 1107 00:41:03,101 --> 00:41:05,891 This, I have seen pop up in 4 1108 00:41:05,891 --> 00:41:07,188 or 5 different places 1109 00:41:08,137 --> 00:41:09,651 I've seen it on Reddit. I've seen it 1110 00:41:09,651 --> 00:41:11,961 on Twitter. I've even seen it on our 1111 00:41:12,599 --> 00:41:14,670 on our on our discord server. 1112 00:41:15,241 --> 00:41:17,148 And I am seeing people to get around 1113 00:41:17,148 --> 00:41:19,054 bit bitlocker. Sorry, referred to it as a 1114 00:41:19,054 --> 00:41:20,484 bit to better. I'm seeing people that have 1115 00:41:20,484 --> 00:41:21,619 tried to bypass 1116 00:41:22,072 --> 00:41:22,572 bitlocker 1117 00:41:23,105 --> 00:41:24,058 that this works. 1118 00:41:25,106 --> 00:41:26,773 This is Anecdotal, you can try to do 1119 00:41:26,773 --> 00:41:28,837 it as a desperate measures. If you... Especially 1120 00:41:28,837 --> 00:41:30,210 if you have a critical system 1121 00:41:30,822 --> 00:41:33,856 that has, you know, app absolutely like the 1122 00:41:33,856 --> 00:41:35,924 recovery keys you need to get access to 1123 00:41:35,924 --> 00:41:38,629 this computer system. But this thing terri me 1124 00:41:38,629 --> 00:41:40,632 because this isn't even 5 minutes to do. 1125 00:41:41,347 --> 00:41:42,699 It's gonna take up half an hour to 1126 00:41:42,699 --> 00:41:45,323 45 minutes to do. You know, kia escrow 1127 00:41:45,323 --> 00:41:48,602 for the win. Right? Yeah. He's Mh I 1128 00:41:48,602 --> 00:41:50,199 wanted to bring in Patterson and Derek a 1129 00:41:50,199 --> 00:41:51,157 little bit more on this. 1130 00:41:51,954 --> 00:41:53,232 So we're saying you gotta sit down and 1131 00:41:53,232 --> 00:41:54,190 you gotta log in into to all your 1132 00:41:54,269 --> 00:41:55,547 Windows computer systems guys. 1133 00:41:57,236 --> 00:41:58,431 What if you what if you're... I mean, 1134 00:41:58,669 --> 00:42:00,341 if you go into safe mode. Right? You 1135 00:42:00,341 --> 00:42:02,649 don't need to have an administrator password for 1136 00:42:02,649 --> 00:42:04,974 safe mode on some systems or can you 1137 00:42:04,974 --> 00:42:06,094 kind of walk through what is the logic 1138 00:42:06,094 --> 00:42:07,534 of that? What if you're using lapse? 1139 00:42:08,414 --> 00:42:10,114 For administrator, like, password 1140 00:42:10,655 --> 00:42:12,494 randomization in your environment? It's not an issue 1141 00:42:12,494 --> 00:42:14,747 of just an admin sitting down? Like, What 1142 00:42:14,747 --> 00:42:15,724 are some recommended 1143 00:42:16,178 --> 00:42:18,164 kind of approaches for trying to handle this? 1144 00:42:18,721 --> 00:42:21,128 If you're seriously a helpdesk desk desktop 1145 00:42:21,503 --> 00:42:23,832 administrator. You're staring down this. What are some 1146 00:42:23,832 --> 00:42:25,430 pitfalls? What are some things that you've gotta 1147 00:42:25,430 --> 00:42:27,027 you gotta start figuring out right now? 1148 00:42:29,359 --> 00:42:31,517 Oh, Lord. I've been so far removed from 1149 00:42:31,517 --> 00:42:34,713 break fix stuff. Like, III honestly don't know 1150 00:42:34,713 --> 00:42:36,871 the answer to the question of does safe 1151 00:42:36,871 --> 00:42:39,684 mode, you, we're still require an administrator path. 1152 00:42:39,844 --> 00:42:41,704 I would say no based on 1153 00:42:42,085 --> 00:42:43,684 experience, but I mean, if it were me, 1154 00:42:43,844 --> 00:42:45,764 and I was an enterprise, and I was 1155 00:42:45,764 --> 00:42:47,299 dealing with because this is an incident Right? 1156 00:42:47,458 --> 00:42:49,371 This is, you know, basically a done all 1157 00:42:49,371 --> 00:42:49,770 the service. 1158 00:42:50,408 --> 00:42:53,596 I would say I'd probably be sending out 1159 00:42:53,596 --> 00:42:54,096 new 1160 00:42:54,553 --> 00:42:57,045 new equipment. And having it cross ship. I 1161 00:42:57,045 --> 00:42:59,045 know it's expensive, but I just don't know 1162 00:42:59,045 --> 00:43:01,364 how you're gonna get remote workers to successfully. 1163 00:43:01,844 --> 00:43:03,844 You'd spend more money on the phone with 1164 00:43:03,844 --> 00:43:05,936 folks I think, trying to figure it out. 1165 00:43:06,175 --> 00:43:08,570 I'd just... I... And then, you know, I've 1166 00:43:08,570 --> 00:43:11,044 seen people saying in chat, I've been trying 1167 00:43:11,044 --> 00:43:12,960 to, you know, read the fire hose of, 1168 00:43:13,214 --> 00:43:14,650 for the the folks that are like as 1169 00:43:14,730 --> 00:43:17,760 Crowds strike gonna be financially responsible. I'm sure 1170 00:43:17,760 --> 00:43:19,834 in their end user license agreement that there's... 1171 00:43:20,153 --> 00:43:22,307 We don't take responsibility for outage kind of 1172 00:43:22,307 --> 00:43:25,940 language. Right? You I I am equally sure 1173 00:43:26,239 --> 00:43:28,320 that there's going to be judges. They're gonna 1174 00:43:28,320 --> 00:43:29,599 throw that shit right out the window though. 1175 00:43:29,760 --> 00:43:31,655 But I mean, as far as, like, retain 1176 00:43:32,014 --> 00:43:32,412 customers. 1177 00:43:33,528 --> 00:43:36,161 Yeah. III, you know what and and so 1178 00:43:36,240 --> 00:43:38,074 I wanna continue to talk about recovery. We'll 1179 00:43:38,074 --> 00:43:38,872 talk about the out 1180 00:43:39,589 --> 00:43:41,105 Especially to crowds right here in a second 1181 00:43:41,105 --> 00:43:43,024 gaining I just... So ditch Oh, go ahead. 1182 00:43:43,262 --> 00:43:46,039 No. Just those manual instructions are really un 1183 00:43:46,039 --> 00:43:46,539 10 1184 00:43:47,230 --> 00:43:48,023 for for... 1185 00:43:48,914 --> 00:43:51,628 Mean, any anyone who has remote workforce stuff. 1186 00:43:52,187 --> 00:43:54,263 Yeah yeah. We've got we've got people freaking 1187 00:43:54,263 --> 00:43:56,818 out there, like, excuse me what? Do... So 1188 00:43:56,818 --> 00:43:59,708 you completely can bypass bit bitlocker using these 1189 00:43:59,708 --> 00:44:00,107 techniques. 1190 00:44:01,226 --> 00:44:03,383 Apparently, someone was sitting on a 0 day 1191 00:44:03,383 --> 00:44:04,262 for bit bitlocker. 1192 00:44:04,821 --> 00:44:06,590 Today's is their data shine. Maybe. I don't 1193 00:44:06,590 --> 00:44:08,044 know. I would like to get some more 1194 00:44:08,180 --> 00:44:10,246 confirmation as to whether or not this actually 1195 00:44:10,246 --> 00:44:10,485 works. 1196 00:44:11,518 --> 00:44:13,744 So some other solutions kind of kicking kicking 1197 00:44:13,744 --> 00:44:15,255 this out there. If you if you don't, 1198 00:44:15,429 --> 00:44:16,967 if you're not using hard drive 1199 00:44:17,425 --> 00:44:19,660 encryption, You can always have a linux system 1200 00:44:19,660 --> 00:44:20,480 on an Iso 1201 00:44:20,858 --> 00:44:23,173 that run some scripts to automatically mount the 1202 00:44:23,173 --> 00:44:25,423 hard drive and delete these files. Yeah. That 1203 00:44:25,423 --> 00:44:25,902 is 1. 1204 00:44:27,020 --> 00:44:28,936 It's just a Usb drive. It once again, 1205 00:44:29,096 --> 00:44:30,612 if you're dealing with remote workers, are you're 1206 00:44:30,612 --> 00:44:32,528 gonna ship them Usb drives, and it's gonna 1207 00:44:32,528 --> 00:44:34,125 get there on Monday or Tuesday and then 1208 00:44:34,125 --> 00:44:35,975 they it's gonna get scary. 1209 00:44:36,773 --> 00:44:38,766 The other 1 that I've seen Banter about 1210 00:44:38,766 --> 00:44:41,558 is pixie boot. But we Derek and I 1211 00:44:41,558 --> 00:44:43,712 were talking about this this morning. Been so 1212 00:44:43,712 --> 00:44:45,400 you gotta be on the same land. Right? 1213 00:44:45,638 --> 00:44:47,309 I mean, rather be on the same. Yeah. 1214 00:44:47,547 --> 00:44:49,217 I just... I I just... It's not gonna 1215 00:44:49,217 --> 00:44:50,172 work for remote workers as 1216 00:44:51,286 --> 00:44:51,937 Top Absolutely. 1217 00:44:52,892 --> 00:44:53,927 Scale is difficult. 1218 00:44:54,722 --> 00:44:56,314 Yeah. Yeah. And it just... Yeah. 1219 00:44:57,268 --> 00:44:59,258 It dip... That be the beeping in, You're 1220 00:44:59,258 --> 00:45:00,690 not gonna be able to pick boo. Right. 1221 00:45:01,264 --> 00:45:03,339 Internet. I think I think the biggest biggest 1222 00:45:03,339 --> 00:45:05,414 challenge here is is the bit bitlocker challenge. 1223 00:45:05,574 --> 00:45:07,969 Right? Because, you know, if you if you 1224 00:45:07,969 --> 00:45:09,725 have to go recovery keys or you go 1225 00:45:09,725 --> 00:45:11,251 to Safe mate. I mean, I know the 1226 00:45:11,251 --> 00:45:13,500 hacks out there, but, you know, who knows 1227 00:45:13,795 --> 00:45:15,942 if it's gonna work. But like this. Somebody 1228 00:45:15,942 --> 00:45:18,580 said it doesn't bypass bitlocker. It just boots 1229 00:45:18,580 --> 00:45:20,887 normally with a trusted platform module to unlock 1230 00:45:20,887 --> 00:45:22,239 the drive. You still need to have the 1231 00:45:22,239 --> 00:45:26,237 admin password. Yeah. Yeah. Yep. Yeah. But still 1232 00:45:26,237 --> 00:45:27,434 kinda kinda does. 1233 00:45:28,153 --> 00:45:28,653 I 1234 00:45:29,590 --> 00:45:32,224 so Can can I... Linux girl last, what 1235 00:45:32,224 --> 00:45:34,561 is pixie boot. So Pixie boot is where 1236 00:45:35,033 --> 00:45:36,249 Instead of your computer 1237 00:45:36,624 --> 00:45:38,614 starting its operating system from the hard drive, 1238 00:45:39,012 --> 00:45:41,478 it goes on the network through a broadcast 1239 00:45:41,478 --> 00:45:41,956 protocol. 1240 00:45:42,289 --> 00:45:45,083 And it downloads an image of an operating 1241 00:45:45,083 --> 00:45:48,037 system to load from the network rather than 1242 00:45:48,037 --> 00:45:50,054 the hard drive typically over T. 1243 00:45:50,432 --> 00:45:53,072 Yeah. T, it's very... Common. And and basically, 1244 00:45:53,230 --> 00:45:54,735 what happens there is do you you put 1245 00:45:54,735 --> 00:45:57,588 a option in your Dhcp server, which Yeah. 1246 00:45:57,826 --> 00:46:01,043 Which points at common the network server that 1247 00:46:01,100 --> 00:46:03,808 supplies the operating system image. Yes. Daniel just 1248 00:46:03,808 --> 00:46:05,720 have we need to pixie Boot on content 1249 00:46:05,720 --> 00:46:07,813 delivery networks. I'm like, there's nothing 1250 00:46:08,285 --> 00:46:10,445 Yes and by thought about that, that makes 1251 00:46:10,445 --> 00:46:12,285 me feel warm and fuzzy. By the way, 1252 00:46:12,525 --> 00:46:15,005 the acronym is is PXE 1253 00:46:15,005 --> 00:46:16,844 even though if we all say Pixie. But... 1254 00:46:17,257 --> 00:46:19,719 Yeah. Yeah. It Yeah. Sounds cooler. Right, Off. 1255 00:46:20,037 --> 00:46:21,387 Does sound cool. I feel like it does 1256 00:46:21,387 --> 00:46:21,864 sound cooler. 1257 00:46:22,500 --> 00:46:24,565 I feel like Patterson quietly in the background 1258 00:46:24,565 --> 00:46:26,490 finding a fixed for this and then the 1259 00:46:26,490 --> 00:46:28,086 very end he's like, alright. So here's how... 1260 00:46:28,484 --> 00:46:30,159 Here it is. He's the ninja that's quiet 1261 00:46:30,159 --> 00:46:31,755 in the back of the fight. He's jumping 1262 00:46:31,755 --> 00:46:33,770 in. What do you got, Patterson? I I 1263 00:46:34,386 --> 00:46:36,875 I'm for Oh, I'm I'm I'm border on 1264 00:46:36,875 --> 00:46:39,110 captain obvious, but I can't help myself in 1265 00:46:39,110 --> 00:46:42,223 that, as an incident responder, You, this is 1266 00:46:42,223 --> 00:46:44,550 the crap we've been warning you about. And 1267 00:46:44,550 --> 00:46:48,210 and but I I just wanna say, please 1268 00:46:48,210 --> 00:46:49,800 forgive me, you know, never let a good 1269 00:46:49,800 --> 00:46:51,883 crisis go to waste. All of the things 1270 00:46:51,883 --> 00:46:54,030 that we're wrestling with out of band comm, 1271 00:46:55,064 --> 00:46:58,244 prioritization of business critical resources, backups, resilience, 1272 00:46:59,454 --> 00:47:01,531 This may be the wrong time, but that's 1273 00:47:01,531 --> 00:47:03,609 just top of mind for me to to 1274 00:47:03,609 --> 00:47:04,967 walk out the other side of this as 1275 00:47:04,967 --> 00:47:06,725 an incredible learning opportunity, 1276 00:47:07,139 --> 00:47:08,498 to redefine and or, 1277 00:47:09,537 --> 00:47:12,334 define ways that you're going to confront these 1278 00:47:12,334 --> 00:47:14,571 kinds of issues because this is, and, this 1279 00:47:14,571 --> 00:47:16,190 is denial of service at scale 1280 00:47:16,585 --> 00:47:18,265 And again, it is... It's like, the the 1281 00:47:18,265 --> 00:47:19,864 world's greatest tabletop exercise. 1282 00:47:20,425 --> 00:47:21,644 Yeah. Like 1283 00:47:22,905 --> 00:47:24,025 the Ara code. Right? Like, 1284 00:47:24,664 --> 00:47:26,440 Oh, my gosh. It's like everyone gets to 1285 00:47:26,440 --> 00:47:27,880 play saudi of Ara. Yeah. I ordered it 1286 00:47:27,880 --> 00:47:29,480 out this morning. On the bright side, lots 1287 00:47:29,480 --> 00:47:32,039 of companies get a live ransom wear recovery 1288 00:47:32,039 --> 00:47:32,519 test this morning. 1289 00:47:33,170 --> 00:47:35,869 Yeah. Because you... You're worried about ransom, this 1290 00:47:35,869 --> 00:47:38,090 is the same. Like, these, like, just like 1291 00:47:38,170 --> 00:47:39,995 Patterson said, these are the same steps. If 1292 00:47:39,995 --> 00:47:40,947 you can do this well. 1293 00:47:41,518 --> 00:47:44,379 You're doing awesome. Keep going, but I'm guessing 1294 00:47:44,379 --> 00:47:46,286 a lot of organizations can't do this well. 1295 00:47:47,239 --> 00:47:48,057 And unfortunately, 1296 00:47:48,431 --> 00:47:49,702 there's no amount of money. 1297 00:47:50,274 --> 00:47:52,588 That you can pay somebody that they will 1298 00:47:52,588 --> 00:47:54,183 give you, like you pay them at Bitcoin 1299 00:47:54,183 --> 00:47:55,938 and they give you a recovery key that 1300 00:47:55,938 --> 00:47:58,894 recovers your ops. Like, there is no really 1301 00:47:58,894 --> 00:48:01,454 cool reset button with the Ransom ware group 1302 00:48:01,508 --> 00:48:03,172 where they're, like, give us a million dollars 1303 00:48:03,172 --> 00:48:05,813 and you get everything back. That doesn't exist 1304 00:48:05,813 --> 00:48:08,289 today. Yeah. Watch out for the fishing tactics 1305 00:48:08,289 --> 00:48:09,349 they're gonna go flowing 1306 00:48:10,127 --> 00:48:10,627 really. 1307 00:48:11,166 --> 00:48:13,654 Pitching tactics. A little bit. Before John left, 1308 00:48:13,813 --> 00:48:15,271 he showed a bunch of domains 1309 00:48:15,807 --> 00:48:18,120 that were registered, like, within the last 24 1310 00:48:18,120 --> 00:48:20,673 hours. And here some of them, crowds strike 1311 00:48:20,673 --> 00:48:23,163 blue screen dot com. Cloud crowds strike 0 1312 00:48:23,163 --> 00:48:25,639 day dot com. Crowds strike BS0D 1313 00:48:25,639 --> 00:48:27,797 dot com. Crowds strike doom day dot com. 1314 00:48:28,196 --> 00:48:31,006 Crowds strike fix dot com. Crowds strike down 1315 00:48:31,006 --> 00:48:33,023 dot site. Crowds strike token 1316 00:48:33,401 --> 00:48:34,699 dot com. So 1317 00:48:35,716 --> 00:48:38,271 it's brace yourselves. Like you think this is 1318 00:48:38,271 --> 00:48:40,753 bad like the attackers are gonna take advantage 1319 00:48:40,753 --> 00:48:42,128 of this? This is coming 1320 00:48:42,502 --> 00:48:42,979 right now. 1321 00:48:43,854 --> 00:48:45,205 So, Derek, do you wanna... You were talking 1322 00:48:45,205 --> 00:48:46,318 about that with me on the phone? Do 1323 00:48:46,318 --> 00:48:47,909 you wanna talk a little bit more about 1324 00:48:47,909 --> 00:48:49,836 this? Like, the I mean, we just saw 1325 00:48:49,836 --> 00:48:51,750 this. Oh, gosh. I just read about this 1326 00:48:52,069 --> 00:48:53,345 yesterday on another, 1327 00:48:55,179 --> 00:48:56,854 can't I remember the the the software package. 1328 00:48:57,014 --> 00:48:58,784 We actually had a sock customer that bell 1329 00:48:58,784 --> 00:49:00,622 for something similar where, you know, you Google 1330 00:49:00,622 --> 00:49:02,540 the problem. And it's, like, here's the solution 1331 00:49:02,540 --> 00:49:04,218 of the problem. So you couple either, like, 1332 00:49:04,458 --> 00:49:07,175 fishing or social or a search engine optimization, 1333 00:49:07,750 --> 00:49:10,469 and you get the the fix or the 1334 00:49:10,469 --> 00:49:12,869 update, and well, it's not the fix or 1335 00:49:12,869 --> 00:49:15,050 the update. Right at all it's backdoor. 1336 00:49:16,403 --> 00:49:18,472 And, yeah. So that's what I worry about. 1337 00:49:18,630 --> 00:49:20,142 Those are just some of the Io c's 1338 00:49:20,142 --> 00:49:22,370 that are known now, and I imagine there'll 1339 00:49:22,370 --> 00:49:24,453 be more to come. So from a defense 1340 00:49:24,453 --> 00:49:25,806 perspective, 1 of the things you might wanna 1341 00:49:25,806 --> 00:49:28,431 do with your Dns security provider is basically 1342 00:49:28,431 --> 00:49:30,181 looking at the age of domains slick. 1343 00:49:31,228 --> 00:49:33,133 Like, what is the age agent's domain? I 1344 00:49:33,133 --> 00:49:34,244 mean, you should be... And this goes back 1345 00:49:34,244 --> 00:49:35,117 to what Patterson said. 1346 00:49:35,832 --> 00:49:37,181 This is all shit. You should have been 1347 00:49:37,181 --> 00:49:37,737 doing too. 1348 00:49:38,372 --> 00:49:38,927 Right? Like, 1349 00:49:40,371 --> 00:49:42,595 isn't like, oh, god. No. We never saw 1350 00:49:42,595 --> 00:49:44,445 this coming. Take advantage of 1351 00:49:45,056 --> 00:49:47,121 This is that really hurts me is like 1352 00:49:47,121 --> 00:49:48,802 the past people that are listening to this 1353 00:49:48,802 --> 00:49:50,945 webcast are lighting up discord and I cannot 1354 00:49:50,945 --> 00:49:52,771 keep up with what's going on on meeting 1355 00:49:52,771 --> 00:49:53,167 right now. 1356 00:49:53,961 --> 00:49:55,707 They're not the ones that worry me the 1357 00:49:55,707 --> 00:49:57,316 most. The ones that worried me the most, 1358 00:49:57,476 --> 00:49:59,710 so the ones that logged into Cnn dr 1359 00:49:59,710 --> 00:50:00,667 report, whatever. 1360 00:50:01,146 --> 00:50:03,791 And they're like, good god. What happens? What 1361 00:50:03,791 --> 00:50:06,169 is this? And they're starting from ground 0 1362 00:50:06,169 --> 00:50:09,101 right now. Yeah. That is what really scares 1363 00:50:09,101 --> 00:50:09,260 me. 1364 00:50:10,211 --> 00:50:10,711 So 1365 00:50:11,338 --> 00:50:13,886 I believe we're gonna have a new back 1366 00:50:13,886 --> 00:50:16,059 and bridges and inject card. Do. 1367 00:50:17,072 --> 00:50:18,824 Yeah. I but I think we 1 the 1368 00:50:18,824 --> 00:50:19,620 card is gonna be. 1369 00:50:20,513 --> 00:50:22,189 We did a we did a tabletop yesterday, 1370 00:50:22,269 --> 00:50:24,504 and and we actually pulled the Ed, you 1371 00:50:24,504 --> 00:50:26,579 know, endpoint security, and then they rolled the 1372 00:50:26,579 --> 00:50:28,575 failure and everyone on in the audience was 1373 00:50:28,575 --> 00:50:31,940 inc. Are always works. I'm like, no. Really. 1374 00:50:34,413 --> 00:50:35,849 Back to him to get you like me 1375 00:50:35,849 --> 00:50:38,242 see Sometimes things don't go as planned. Like 1376 00:50:38,321 --> 00:50:38,561 Yeah. 1377 00:50:39,213 --> 00:50:42,002 I what timing is that? So somebody actually... 1378 00:50:42,241 --> 00:50:44,233 I just call something going by, so updates 1379 00:50:44,233 --> 00:50:45,667 are bad. Right? I mean, these are the 1380 00:50:45,667 --> 00:50:47,420 kinds of things got that make 1381 00:50:48,297 --> 00:50:48,536 you know, 1382 00:50:49,505 --> 00:50:51,572 organizations think, well, now we're not gonna update 1383 00:50:51,572 --> 00:50:53,186 because look what happened. And 1384 00:50:54,196 --> 00:50:56,502 right answer either. So so the new the 1385 00:50:56,502 --> 00:50:58,331 new... Back to us some breaches cards. I 1386 00:50:58,331 --> 00:51:00,505 think think it needs to be named Colonel 1387 00:51:00,585 --> 00:51:02,984 Driver of F buy. That's what we need. 1388 00:51:03,224 --> 00:51:05,704 So at the at the the first crowds 1389 00:51:05,704 --> 00:51:08,117 deployment ever did. A long time ago, we 1390 00:51:08,117 --> 00:51:09,156 had issues with, 1391 00:51:10,514 --> 00:51:13,684 basically denial service through over saturation of internet 1392 00:51:14,360 --> 00:51:16,429 connectivity based on updates. And then you could 1393 00:51:16,429 --> 00:51:18,838 group your updates thereafter. You could actually manage 1394 00:51:19,293 --> 00:51:20,429 distribution of 1395 00:51:20,898 --> 00:51:23,438 Crowds strike updates to endpoints based on grouping. 1396 00:51:23,914 --> 00:51:25,978 And and you not do that anymore, and 1397 00:51:25,978 --> 00:51:29,177 you exert some manual control to say, testing 1398 00:51:29,883 --> 00:51:32,429 know. Somebody posted a minute ago, and III 1399 00:51:32,429 --> 00:51:33,543 just caught it, and I'm not sure if 1400 00:51:33,543 --> 00:51:35,373 it's true that even if you were trying 1401 00:51:35,373 --> 00:51:36,860 to stay behind, like that this 1402 00:51:37,298 --> 00:51:39,371 basically, you got this update either way. And 1403 00:51:39,371 --> 00:51:41,523 that's 1 thing I never really agreed with 1404 00:51:41,523 --> 00:51:44,552 in the... Certainly for personal users when Windows 1405 00:51:44,552 --> 00:51:46,475 did it, but know, I I never really 1406 00:51:46,475 --> 00:51:48,485 agreed with forcing updates on 1407 00:51:49,177 --> 00:51:51,242 organizations. And I know there's ways around it 1408 00:51:51,242 --> 00:51:53,323 for sure, but, you know I think the 1409 00:51:53,323 --> 00:51:55,628 automatic update thing It needs to be an 1410 00:51:55,628 --> 00:51:58,251 option. It shouldn't shouldn't on. Okay. So I'm 1411 00:51:58,251 --> 00:51:59,681 gonna throw this out there. I'm gonna disagree. 1412 00:52:00,331 --> 00:52:03,188 This is bad. No question. But God it 1413 00:52:03,188 --> 00:52:05,648 if takes us back 10 years with auto 1414 00:52:05,885 --> 00:52:08,107 That's political it. That's what's gonna happen. We 1415 00:52:08,107 --> 00:52:10,739 don't... We we can't have that. Right? No 1416 00:52:10,739 --> 00:52:13,436 disagree. No, but with follow up. But we've 1417 00:52:13,436 --> 00:52:14,943 used to be I used to teach way 1418 00:52:14,943 --> 00:52:16,371 back in mid 2000. 1419 00:52:16,704 --> 00:52:18,223 It was like, you should always test and 1420 00:52:18,223 --> 00:52:20,221 validate your updates for, you know, a couple 1421 00:52:20,221 --> 00:52:21,899 of weeks before you roll it out to 1422 00:52:21,899 --> 00:52:24,136 production, and it's like, we ain't got time 1423 00:52:24,136 --> 00:52:26,868 for that I I stopped. Saying that and 1424 00:52:26,868 --> 00:52:28,786 more of, said in it and it does 1425 00:52:28,786 --> 00:52:30,384 apply to this too. Just get get good 1426 00:52:30,384 --> 00:52:31,902 at fixing it when it breaks. Right? 1427 00:52:33,021 --> 00:52:35,583 Immediately deploy to, like, your It team that 1428 00:52:35,583 --> 00:52:35,981 would be, 1429 00:52:36,934 --> 00:52:39,238 you know, responsible for fixing it Right? We're 1430 00:52:39,238 --> 00:52:40,588 get to auto out q 1431 00:52:41,319 --> 00:52:43,477 You do go ahead 1 crowds and hunters, 1432 00:52:43,557 --> 00:52:45,475 and then at least only 1 third of 1433 00:52:45,475 --> 00:52:47,952 your environment already the space Yeah. Yeah. Well, 1434 00:52:48,112 --> 00:52:50,350 that's an idea. Let in depth, not really. 1435 00:52:50,590 --> 00:52:52,682 So I you know, have joke about that, 1436 00:52:52,842 --> 00:52:54,600 dude? We joke about that, but I guarantee... 1437 00:52:54,760 --> 00:52:55,160 And... 1438 00:52:55,799 --> 00:52:58,057 Is that a bad idea today. To basically 1439 00:52:58,117 --> 00:53:00,195 say that we have multiple offices. We're gonna 1440 00:53:00,195 --> 00:53:02,279 use different Ed r's to make sure that 1441 00:53:02,279 --> 00:53:03,791 we don't go down a hundred percent. 1442 00:53:04,984 --> 00:53:07,585 We used to recommend doing a bifurcation of 1443 00:53:08,103 --> 00:53:11,136 endpoint security on workstations versus servers, partially for 1444 00:53:11,136 --> 00:53:13,370 that reason. Yeah. Not a, again, not a 1445 00:53:13,370 --> 00:53:15,684 terrible idea. Sure. And the article I was, 1446 00:53:15,859 --> 00:53:17,775 trying to remember during my class, but I 1447 00:53:17,775 --> 00:53:20,808 remember Dan Gear and Bruce Schneider, the mono 1448 00:53:20,808 --> 00:53:21,047 culture, 1449 00:53:21,846 --> 00:53:23,682 paper, where they were talking about the dangers 1450 00:53:23,682 --> 00:53:26,568 of mono culture. Like. We're still there. Right? 1451 00:53:26,967 --> 00:53:28,903 That is absolutely a problem 1452 00:53:29,599 --> 00:53:30,897 that exists. But 1453 00:53:31,275 --> 00:53:32,550 I I just don't know where the hell 1454 00:53:32,550 --> 00:53:34,599 this goes. I don't think it goes anywhere 1455 00:53:34,879 --> 00:53:36,713 good. Like, I think that you're gonna have 1456 00:53:36,793 --> 00:53:38,787 Ceos are gonna be, like, rip and replace 1457 00:53:38,787 --> 00:53:41,499 crowds strike now. Oh, yeah. And Crowds strike, 1458 00:53:41,579 --> 00:53:43,094 just to be honest, Matt, I wanna get 1459 00:53:43,094 --> 00:53:44,585 your take, off I wanna get your take 1460 00:53:45,023 --> 00:53:47,414 They aren't a garbage Ed. Right? Like they're 1461 00:53:47,414 --> 00:53:50,363 not bottom feeder. Right? So we might be 1462 00:53:50,363 --> 00:53:51,877 seeing 1 of the better Ed r's in 1463 00:53:51,877 --> 00:53:52,435 the market. 1464 00:53:52,848 --> 00:53:55,314 Get completely blown out of the water because 1465 00:53:55,314 --> 00:53:57,087 of 1 stupid Ci 1466 00:53:57,621 --> 00:53:57,780 mistake. 1467 00:53:58,655 --> 00:54:01,056 And I'm not dude Crowds strike doesn't pay 1468 00:54:01,056 --> 00:54:02,963 me. Right? That I get no money from 1469 00:54:02,963 --> 00:54:05,212 them. In fact, we have a love hate 1470 00:54:05,507 --> 00:54:08,209 relationship with Crowds strike. We absolutely do love 1471 00:54:08,209 --> 00:54:09,969 to hate us. They love to hate us. 1472 00:54:10,128 --> 00:54:13,163 They keep shutting down our upping licenses little 1473 00:54:13,297 --> 00:54:13,693 researching. 1474 00:54:14,485 --> 00:54:15,832 At the end of the day, I mean, 1475 00:54:16,323 --> 00:54:18,465 I'm gonna throw this out there, everybody. God 1476 00:54:18,465 --> 00:54:19,893 damn. They're a pain in the ass. 1477 00:54:21,320 --> 00:54:22,034 That's a good thing. 1478 00:54:23,319 --> 00:54:25,232 Come Right? So you want it to be 1479 00:54:25,232 --> 00:54:27,224 a pain in our ass. And, like, if 1480 00:54:27,224 --> 00:54:28,739 they handle it in a away. Like if 1481 00:54:28,818 --> 00:54:30,333 I was a ceo or they handle it 1482 00:54:30,333 --> 00:54:32,360 in a way where you know, they take 1483 00:54:32,496 --> 00:54:35,039 ownership and and and and try and make 1484 00:54:35,039 --> 00:54:36,945 it as right as possible. I don't know 1485 00:54:36,945 --> 00:54:38,773 that I would say. Alright. Because this might 1486 00:54:38,773 --> 00:54:41,418 happen to any product. You Yes. That's the 1487 00:54:41,418 --> 00:54:43,494 key. If you think you're gonna move off 1488 00:54:43,494 --> 00:54:45,891 to another vendor and they're never going to 1489 00:54:45,891 --> 00:54:46,930 have this. I've got this. 1490 00:54:47,744 --> 00:54:50,464 This great poster that I saw today where 1491 00:54:50,464 --> 00:54:52,545 they went through and they listed out all 1492 00:54:52,545 --> 00:54:54,864 of the other vendors that have had Ed 1493 00:54:54,864 --> 00:54:57,107 vendors. That have had the same type of 1494 00:54:57,107 --> 00:54:59,251 issue. They just aren't as big. Ryan, could 1495 00:54:59,251 --> 00:55:01,634 we kick this up? Yeah, with it Quick. 1496 00:55:02,031 --> 00:55:04,352 Yeah. Yeah. It's just... It's just not. Ed 1497 00:55:04,352 --> 00:55:05,865 vendors as well. Right? It's not. 1498 00:55:06,662 --> 00:55:08,436 I think that this could happen to any 1499 00:55:08,574 --> 00:55:08,972 enterprise, 1500 00:55:09,530 --> 00:55:10,486 class software, 1501 00:55:10,899 --> 00:55:13,847 But. It's and any product at all that 1502 00:55:13,847 --> 00:55:16,157 involves itself with the tunnel, which is a 1503 00:55:16,157 --> 00:55:18,945 lot. You know, And I've seen thousands of 1504 00:55:18,945 --> 00:55:21,355 networks since I've been at. At black hills 1505 00:55:21,355 --> 00:55:23,195 like both large and small. And if you 1506 00:55:23,195 --> 00:55:26,315 think the really large shops aren't held together 1507 00:55:26,315 --> 00:55:28,954 with, like, duct tape and pops sticks behind 1508 00:55:28,954 --> 00:55:31,446 the same wrong, Right? They are are. And 1509 00:55:31,446 --> 00:55:33,920 so I could just imagine this happened because 1510 00:55:33,920 --> 00:55:36,074 a filed didn't transfer right. Nobody paid a 1511 00:55:36,074 --> 00:55:38,804 etch. Right? Yeah. So I... So the tweet 1512 00:55:38,804 --> 00:55:40,965 talks about blue screen of death in 1513 00:55:41,684 --> 00:55:42,565 what is this cortex. 1514 00:55:43,925 --> 00:55:44,905 Another 1 in K. 1515 00:55:45,696 --> 00:55:49,348 Another 1 in s semantic endpoint protection. Another 1516 00:55:49,348 --> 00:55:52,071 1 in Sop net filter. So, 1517 00:55:52,523 --> 00:55:52,841 you know, 1518 00:55:53,494 --> 00:55:55,255 God damn at Crowds strike. You're putting me 1519 00:55:55,255 --> 00:55:56,694 into a situation where I have to defend 1520 00:55:56,694 --> 00:55:58,474 you. I did not 1521 00:55:58,775 --> 00:56:00,775 want to be at this point today. I 1522 00:56:00,775 --> 00:56:02,295 did not wanna be at this sprint today. 1523 00:56:03,508 --> 00:56:04,008 So 1524 00:56:05,426 --> 00:56:07,504 no. I I don't... Was 1 I wanted 1525 00:56:07,504 --> 00:56:09,742 to jump into. I know going it back 1526 00:56:09,742 --> 00:56:10,061 a bit. 1527 00:56:11,993 --> 00:56:13,367 A lot of Ed vendors 1528 00:56:13,741 --> 00:56:15,568 have the ability with their updates to actually 1529 00:56:15,568 --> 00:56:17,474 do staggered updates where you can do grouping 1530 00:56:17,474 --> 00:56:19,718 of updates or, you know, push live to 1531 00:56:19,718 --> 00:56:20,915 a big group or you can actually set 1532 00:56:20,915 --> 00:56:22,373 it to that way, depending on 1533 00:56:23,070 --> 00:56:24,907 new settings, you know, you can have a 1534 00:56:24,907 --> 00:56:27,222 small subs section, get the latest bleeding edge 1535 00:56:27,222 --> 00:56:30,413 updates and then your court brew. So like, 1536 00:56:30,651 --> 00:56:31,999 when to say this whole thing about, like, 1537 00:56:32,157 --> 00:56:33,822 people are gonna stop doing updates. I think 1538 00:56:33,822 --> 00:56:35,487 the only thing people that benefit from that, 1539 00:56:35,899 --> 00:56:37,648 are threat actors when you do that, and 1540 00:56:37,807 --> 00:56:40,113 I wanna stress that. There are some settings 1541 00:56:40,113 --> 00:56:42,896 and controls like free prod that can deploy 1542 00:56:42,896 --> 00:56:45,541 this. I think well, this is gonna definitely 1543 00:56:45,541 --> 00:56:48,016 have a bigger conversation, how is your update 1544 00:56:48,016 --> 00:56:50,570 policy set up? We... For a lot of 1545 00:56:50,570 --> 00:56:52,485 time in security focusing on, you know, 1546 00:56:53,219 --> 00:56:55,609 How you're rolling out these updates, How they 1547 00:56:55,609 --> 00:56:57,601 deployed how they're being tuned. We focus a 1548 00:56:57,601 --> 00:56:59,115 lot about that, but no 1 really focuses 1549 00:56:59,115 --> 00:57:00,788 it on update tests. And I think this 1550 00:57:00,788 --> 00:57:02,541 is a great opportunity to look at these 1551 00:57:02,541 --> 00:57:04,649 products. Because I know a lot of Ed 1552 00:57:04,786 --> 00:57:06,379 across the space have the ability to do, 1553 00:57:06,459 --> 00:57:06,618 like, 1554 00:57:07,494 --> 00:57:09,804 too staggered behind updates from the bleeding edge 1555 00:57:09,804 --> 00:57:10,998 or the current 1. Yeah. 1556 00:57:11,969 --> 00:57:13,478 And I think this... This is a great 1557 00:57:13,478 --> 00:57:15,226 opportunity that if you somehow we're able to 1558 00:57:15,226 --> 00:57:18,086 set your thing not always push the live 1559 00:57:18,086 --> 00:57:19,515 up update blindly and have it go to 1560 00:57:19,515 --> 00:57:21,043 a small control test. You might be 1 1561 00:57:21,043 --> 00:57:22,877 of the few companies that are not having 1562 00:57:22,877 --> 00:57:24,472 this issue today. Yep. 1563 00:57:25,270 --> 00:57:25,509 Yep. 1564 00:57:26,147 --> 00:57:27,742 Now the big question that I'm getting from 1565 00:57:27,742 --> 00:57:29,657 my family is, like, when do we buy 1566 00:57:29,657 --> 00:57:30,135 on the dip? 1567 00:57:31,266 --> 00:57:32,859 III 1568 00:57:32,859 --> 00:57:33,974 honestly this is... 1569 00:57:35,169 --> 00:57:37,183 III hope I'm wrong, but 1570 00:57:37,733 --> 00:57:40,123 I think this is, like Crowds strikes going 1571 00:57:40,123 --> 00:57:41,716 go down. It's not gonna go out of 1572 00:57:41,716 --> 00:57:44,048 business completely, but it's 1573 00:57:44,424 --> 00:57:46,495 it's going to go down. Like, there is... 1574 00:57:46,907 --> 00:57:48,679 Ceos having very 1575 00:57:49,530 --> 00:57:52,152 blunt conversations with their tech team, and they 1576 00:57:52,152 --> 00:57:53,821 do not give a shit about any of 1577 00:57:53,821 --> 00:57:55,252 the things that we just said, 1578 00:57:55,983 --> 00:57:58,370 and they're like, we need blood. We need 1579 00:57:58,370 --> 00:57:59,984 a head on the platter and 1580 00:58:00,439 --> 00:58:02,031 crowds strikes going to be the sac artificial 1581 00:58:02,031 --> 00:58:02,190 lamb. 1582 00:58:03,224 --> 00:58:04,896 I I think that that's going to happen. 1583 00:58:05,468 --> 00:58:07,854 You think the dip already happened possibly. Right? 1584 00:58:08,093 --> 00:58:12,722 It might be. I don't know. But III 1585 00:58:12,722 --> 00:58:14,232 would not people... I would not look at 1586 00:58:14,232 --> 00:58:16,299 this as like, 2 weeks, everything's going to 1587 00:58:16,299 --> 00:58:18,287 be okay. It might be. It might be, 1588 00:58:18,367 --> 00:58:20,116 but this is this is bad. 1589 00:58:20,768 --> 00:58:22,043 Especially if it gets to the point where 1590 00:58:22,043 --> 00:58:24,273 flights are down for, like, the next, like 1591 00:58:24,273 --> 00:58:27,222 week or if it led to people dying. 1592 00:58:27,380 --> 00:58:30,195 Like, there's hospitals that went down, operating rooms 1593 00:58:30,195 --> 00:58:31,335 that went down. Dialysis 1594 00:58:31,635 --> 00:58:32,515 machines that went down, 1595 00:58:33,235 --> 00:58:34,594 at least that's what we're seeing. Right? A 1596 00:58:34,594 --> 00:58:35,875 lot of that shit's not confirmed, 1597 00:58:36,689 --> 00:58:39,563 But, you know, standard outage, companies can recover 1598 00:58:39,563 --> 00:58:41,639 from. If you actually led to loss of 1599 00:58:41,639 --> 00:58:43,635 life in you're a hospital, and you got 1600 00:58:43,635 --> 00:58:45,710 a story of another hospital that went down 1601 00:58:45,710 --> 00:58:46,524 because of this product. 1602 00:58:47,243 --> 00:58:49,800 Right wrong or in different small mistake, anybody 1603 00:58:49,800 --> 00:58:52,118 can make that mistake. If you choose to 1604 00:58:52,118 --> 00:58:54,276 keep that software in your environment and something 1605 00:58:54,276 --> 00:58:57,166 like this happens again, The liability is not 1606 00:58:57,166 --> 00:58:59,183 going to be on the vendor. The liability 1607 00:58:59,242 --> 00:59:00,780 is going to be on the hospital 1608 00:59:01,158 --> 00:59:03,393 that decided to keep that vendor that had 1609 00:59:03,393 --> 00:59:05,722 something like this happening in the past. And 1610 00:59:05,722 --> 00:59:07,391 once again, I don't think that's fair to 1611 00:59:07,471 --> 00:59:09,775 Crowds strike. I don't think it is, but 1612 00:59:09,775 --> 00:59:12,239 there's a lot of organizations and lawyers that 1613 00:59:12,239 --> 00:59:13,828 are looking at it through that type of 1614 00:59:13,828 --> 00:59:16,777 lens. And they have to do something. 1615 00:59:17,491 --> 00:59:19,711 And I... And that's that's my big fear 1616 00:59:19,711 --> 00:59:21,376 about what we're seeing this right now. Yeah. 1617 00:59:21,614 --> 00:59:23,456 I, I have a lot of empathy for 1618 00:59:23,456 --> 00:59:24,889 the people are gonna work the crowds strike 1619 00:59:24,889 --> 00:59:25,764 booth that black hat. 1620 00:59:27,355 --> 00:59:29,900 Oh, yeah. Yeah. It's gonna be Page even 1621 00:59:29,900 --> 00:59:32,305 just close it down. Yeah. It might be 1622 00:59:32,305 --> 00:59:34,778 entirely possible that Crowds strike this isn't worth 1623 00:59:34,778 --> 00:59:36,692 it. Because think about all the memes and 1624 00:59:36,692 --> 00:59:38,287 the people on Twitter, they're gonna be going 1625 00:59:38,287 --> 00:59:40,042 by and taking a picture of them flipping 1626 00:59:40,042 --> 00:59:42,362 off the crowds strike booth. Right? That's gonna 1627 00:59:42,362 --> 00:59:44,188 be the hot thing to do at Black 1628 00:59:44,188 --> 00:59:46,568 hat. I'm gonna plug Crowds strike. If you're 1629 00:59:46,568 --> 00:59:48,210 thinking of going to Block hat, don't booth 1630 00:59:48,409 --> 00:59:50,642 Well, that's nice it. We can not... We 1631 00:59:50,642 --> 00:59:52,556 can... As a community, we're not always the 1632 00:59:52,556 --> 00:59:54,630 nicest foe. No No. No. No. No. No. 1633 00:59:54,789 --> 00:59:56,864 Can can I Can I suggest that you 1634 00:59:56,864 --> 00:59:58,081 prepare your speech now 1635 00:59:58,474 --> 01:00:01,048 when somebody says, you deployed Ed 1636 01:00:01,586 --> 01:00:04,219 on my biomedical systems and risk the lives 1637 01:00:04,219 --> 01:00:05,357 of patients that 1638 01:00:06,470 --> 01:00:08,869 not to minimize that concern, but I'm here 1639 01:00:08,869 --> 01:00:10,869 to tell you for a certainty if Ransom 1640 01:00:10,869 --> 01:00:11,530 was detonated 1641 01:00:11,990 --> 01:00:15,405 on your biomedical systems, it would directly impact 1642 01:00:15,524 --> 01:00:18,077 your patients? So be prepared to have a 1643 01:00:18,077 --> 01:00:18,577 logical 1644 01:00:19,113 --> 01:00:20,730 conversation about the cost benefit 1645 01:00:21,108 --> 01:00:22,565 of Ed versus 1646 01:00:23,660 --> 01:00:26,722 exploitation versus threat actor acts this and right 1647 01:00:26,777 --> 01:00:29,948 cannot overs stress that... And a logical conversation, 1648 01:00:30,186 --> 01:00:32,723 not an emotional conversation about there is a 1649 01:00:32,723 --> 01:00:34,413 risk this they're running Ed, 1650 01:00:34,892 --> 01:00:37,289 and it's this. There's a risk to not 1651 01:00:37,289 --> 01:00:39,286 running Ed and it's it's it's this. 1652 01:00:40,899 --> 01:00:42,494 Well, and I'm also gonna kind of, like, 1653 01:00:42,653 --> 01:00:44,806 r on that a little bit. If you're 1654 01:00:44,806 --> 01:00:47,677 a crowds strike right now, you need to 1655 01:00:47,677 --> 01:00:49,511 within the next 12 hours. 1656 01:00:50,162 --> 01:00:52,383 Be saying, what are you doing moving forward 1657 01:00:52,383 --> 01:00:54,366 that you were not doing a week ago. 1658 01:00:54,683 --> 01:00:57,301 Yeah. You cannot say that an intern screwed 1659 01:00:57,301 --> 01:00:59,143 up. You cannot say that an admin screwed 1660 01:00:59,143 --> 01:01:01,211 up. You cannot say that somebody oops seed. 1661 01:01:01,768 --> 01:01:03,757 You've gotta say what are we doing that's 1662 01:01:03,757 --> 01:01:07,035 fundamentally different moving from this moment on, that 1663 01:01:07,035 --> 01:01:09,195 we were not doing last week. And I 1664 01:01:09,195 --> 01:01:11,675 also think being very open about what happened 1665 01:01:11,675 --> 01:01:13,114 and saying, oh, there was a problem in 1666 01:01:13,114 --> 01:01:14,414 our Ci pipeline 1667 01:01:15,048 --> 01:01:16,563 Not good enough. Like, with something like this, 1668 01:01:16,802 --> 01:01:18,794 you're gonna have to say here's specifically where 1669 01:01:18,794 --> 01:01:21,105 the boo boo is. And I would recommend 1670 01:01:21,105 --> 01:01:21,981 looking at Man, 1671 01:01:22,872 --> 01:01:24,625 and whenever they were breached and of course, 1672 01:01:24,784 --> 01:01:26,696 that led into the whole solar winds thing. 1673 01:01:27,094 --> 01:01:28,927 He is open as you possibly can. Like, 1674 01:01:29,006 --> 01:01:31,179 if you're trying to minimize this by doing 1675 01:01:31,237 --> 01:01:33,323 obscurity, if you're gonna try to minimize this 1676 01:01:33,323 --> 01:01:36,032 with this community by trying to double speak 1677 01:01:36,032 --> 01:01:38,661 corporate speak and going around it, you're f. 1678 01:01:39,139 --> 01:01:40,891 Not only are you f you deserve to 1679 01:01:40,891 --> 01:01:42,653 be aft. If you get in front of 1680 01:01:42,653 --> 01:01:44,898 this and you get very detailed technical 1681 01:01:45,269 --> 01:01:47,727 explanations of where the program broke down the 1682 01:01:47,806 --> 01:01:48,837 Ci pipeline, 1683 01:01:49,250 --> 01:01:52,049 The validation process broke down and what you're 1684 01:01:52,049 --> 01:01:54,769 doing to rectify that, you may survive this. 1685 01:01:55,089 --> 01:01:56,289 I don't have a lot of hope for 1686 01:01:56,369 --> 01:01:57,329 Crowds to do that. 1687 01:01:58,302 --> 01:02:00,375 I I just seriously don't. But I think 1688 01:02:00,375 --> 01:02:02,847 when this community, like, we react better to 1689 01:02:03,166 --> 01:02:05,558 Sunshine, which is weird because we're It geek 1690 01:02:05,558 --> 01:02:08,203 and Sunshine makes us burn in ways and 1691 01:02:08,203 --> 01:02:09,978 impressive that are uncomfortable. 1692 01:02:10,514 --> 01:02:12,266 But the more information that you give us 1693 01:02:12,266 --> 01:02:14,272 on what's going on on this, The more 1694 01:02:14,272 --> 01:02:15,782 we're going to trust you moving forward and 1695 01:02:15,782 --> 01:02:17,769 your only marketable thing that you have at 1696 01:02:17,848 --> 01:02:19,915 Crowds strike right now is trust. And if 1697 01:02:19,915 --> 01:02:21,822 you start burning that with corporate double speak, 1698 01:02:22,140 --> 01:02:22,538 you're done. 1699 01:02:23,348 --> 01:02:25,255 Yeah. IIII 1700 01:02:25,255 --> 01:02:25,652 wanna 1701 01:02:26,605 --> 01:02:28,830 not to not to be shameless plugging, but 1702 01:02:29,068 --> 01:02:30,657 I'm gonna do a slight plug. Back in 1703 01:02:30,817 --> 01:02:31,317 February. 1704 01:02:32,422 --> 01:02:33,059 I released, 1705 01:02:33,617 --> 01:02:33,856 blog, 1706 01:02:34,493 --> 01:02:35,927 February 20 second, called, 1707 01:02:37,202 --> 01:02:38,397 initial access operations. 1708 01:02:40,485 --> 01:02:42,500 Part 1, and it talks about the Windows 1709 01:02:42,638 --> 01:02:45,749 endpoint to affairs technology landscape. So aside from 1710 01:02:45,749 --> 01:02:47,982 the things that I've said today and that 1711 01:02:48,062 --> 01:02:50,074 Matt Ar said today on this, 1712 01:02:50,952 --> 01:02:51,512 news cast. 1713 01:02:52,711 --> 01:02:55,028 You know, it it behaves us to to 1714 01:02:55,028 --> 01:02:56,867 do a little research and read up on 1715 01:02:56,867 --> 01:02:58,840 some of these things to to to to 1716 01:03:00,076 --> 01:03:02,949 you know, get get educated about some of 1717 01:03:02,949 --> 01:03:04,464 the things that are going on in the 1718 01:03:04,464 --> 01:03:06,632 systems that we're managing every day. So I 1719 01:03:06,632 --> 01:03:07,903 just wanna to put that out there. Go 1720 01:03:07,903 --> 01:03:08,142 read it, 1721 01:03:08,857 --> 01:03:10,923 and I think you'll learn a few things 1722 01:03:10,923 --> 01:03:12,830 and it helps reinforce some of the stuff 1723 01:03:12,830 --> 01:03:13,545 that I said today. 1724 01:03:14,433 --> 01:03:14,671 Alright. 1725 01:03:15,306 --> 01:03:16,814 Alright. Everybody. Let's wrap it up We've gone 1726 01:03:16,814 --> 01:03:18,401 a little bit over. Thank you so much 1727 01:03:18,401 --> 01:03:20,385 to those of you that joined. Thanks to 1728 01:03:20,465 --> 01:03:22,155 John for joining. Thanks for 1729 01:03:22,703 --> 01:03:24,612 Ryan for being here when you stick with 1730 01:03:24,771 --> 01:03:26,284 Covid, it's not cool that he's here, 1731 01:03:27,000 --> 01:03:28,591 speaking of processes that need to be fixed. 1732 01:03:28,830 --> 01:03:30,516 We need people that can back him up, 1733 01:03:30,675 --> 01:03:33,062 but he's so good. No. He's he's asleep. 1734 01:03:33,540 --> 01:03:35,609 Don't tell him. He's getting a big head 1735 01:03:35,609 --> 01:03:37,598 is what you're saying. He's got Covid. He's 1736 01:03:37,598 --> 01:03:38,951 not gonna remember any of this anyway. 1737 01:03:40,005 --> 01:03:42,405 But but seriously, I appreciate you guys jumping 1738 01:03:42,405 --> 01:03:44,724 on and really the community jumping on. I 1739 01:03:44,724 --> 01:03:45,204 think we had, like, 1740 01:03:46,085 --> 01:03:48,499 3000 people come on, which is huge. We 1741 01:03:48,499 --> 01:03:50,657 really appreciate all of you in the community. 1742 01:03:51,056 --> 01:03:53,133 You blew up my desk discord in ways 1743 01:03:53,213 --> 01:03:55,371 I didn't know was possible. I couldn't keep 1744 01:03:55,371 --> 01:03:55,930 up with you. 1745 01:03:56,824 --> 01:03:58,821 But we appreciate all of you and good 1746 01:03:58,821 --> 01:04:01,457 luck and, god bless to every single 1 1747 01:04:01,457 --> 01:04:03,055 of you. It's gonna be a rough weekend. 1748 01:04:03,469 --> 01:04:03,867 Take care.