Comments by "Mikko Rantalainen" (@MikkoRantalainen) on "IT WAS A REGEX?!? - Full CrowdStrike Report Released" video.

  1. 21:30 This sounds like "we only do unit testing with mock data" – how about doing some integration tests, too, with real Windows installs, too, before distributing the files automatically to nearly 10 million systems? Like run the actual update on real hardware running Windows, restart the Windows system and then check if the booted system can detect the attacks you're trying to guard against? That kind of testing would have shown that "oops, the system didn't come up after restart".
    11
  2. Bob Ross would have been proud of CrowdStrike software: it only worked as a result of happy accident. Ever. And it was a small miracle the whole system collapsed only now. With the engineering standards that they are demonstrating in this report, I'd have expected to see major issues years ago.
    7
  3. 39:30 I read this as "If Microsoft had provided us easy-to-use API for this stuff, we wouldn't have needed to create our own kernel driver". Yeah, but you did decide to write your own kernel driver but did half-assed job on it.
    6
  4. 8:40 I think this still doesn't explain why the update file was full of zeros. I would understand if it contained some actual data but didn't match the expected runtime parser.
    4
  5. I can somehow understand that their regex test for the arguments failed to catch the failure but how on Earth their tests do not include "reboot the system after the update" considering their kernel driver is marked as critical for boot?? If they even an automated system that installs the update and reboots the system, the whole failure would have been caught before release. Clearly there was no real testing of any kind. And the scary thing is that they believe they are doing "multiple levels of testing".
    2
  6. 24:30 So their "content validator" didn't validate the content?? Even at so rudimentary level such as "the content is supposed to contain 21 items, check the length".
    1
  7. 3:20 A regex engine running inside critical kernel driver – what could go wrong?
    1
  8. This all sounds like they had code reviews for their scripting engine but no reviews of any kind of the actual data updates. All the stuff about mock data suggests that those tests were only about the scripting engine. And the "content validator" not bothering to even check the length of the data points to major skill issues. It would be interesting to know what kind of stuff they were trying to validate?
    1