Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

At the end of the day, if you give an application a deep set of permissions, that's on you as an administrator, not the OS. This unchecked global rollout appears to just be a violation of every good software engineering practice we know.



Administrators are to blame because management (and a lot of 'cybersecurity policies') demand there's a virus scanner on the machines?

While virus scanners might pick up some threats not addressed by OS updates yet every one of them I've seen is a rootkit in disguise wanting full system privileges. There are numerous incidents with security holes and crashes caused by these security products. They also aren't that clever: repeatedly scanning the same files 'on access' over and over again wasting CPU and IO is not going to give you any extra security.


Not so much in disguise.

CS has official RCE root/admin access on all the clients. Which skips any normal auth of the OS. Yes, on all windows, mac and linux.


I often watch Crowdstrike thrash my laptop's resources, making it slow to do compiles. Cybersecurity won't let me disable it either, so I just set it to lower priority process.


You might have more luck asking Cybersecurity to add a path like ~/code which contains your source code to the exclusion list.


As someone who worked for a company, who's a Crowdstrike partner, I assure you that Crowdstrike does not sell to administrators. It is very much a product sold to management and company auditors.

Where you're correct is that it's on the administrators to rollout the updates, but I'm not sure that's how Crowdstrike works. It's a managed solution and updates are done for you, maybe that can be disabled, but I honestly don't know.


This should clue you in.

CS is not sold to SA or technical types. It's sold to management as a risk reduction.

The whole point is that if you are technical, you are so untrusted that management is willing to require circumvention of known good practices and force installation of this software against technical advice.


> This unchecked global rollout appears to just be a violation of every good software engineering practice we know.

Yeah, this is what surprises me. Corporate infrastructure policy seems to have been matched to smart phone default settings.


I have worked in Finance for 25 years, and the amount of pressure I had to stand from Auditing on "Why do we have a 20-day-window on applying most updates as we get them from suppliers? We are not best practice!" is gruelling.

These people report to the Board Chairman, don't understand any real implication of their work, and believe the world is a simplistic Red - Amber - Green grid.

I understand most CIOs / CTOs / CISOs in Corporate would buckle.


So the silver lining from this incident would be that you can simply point to it, and tell those auditors to fuck off.


I'm pretty sure Apple does gradual rollouts of upgrades, so default smartphone settings are better than that.


It's actually worse than phone updates. Ever looked at your phone and noticed it hasn't updated to the new OS despite it having been out for a few days already? This is why.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: