Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yep. We can't migrate our workstations to Ubuntu 24.04 because Crowdstrikes falcon kernel modules don't support the kernel version yet. Presumably they wanted to move to EBPF but I'm guessing that hasn't happened yet. Also: I can't find the source code of those kernel modules - they likely use GPL-only symbols, wouldn't that be a GPL violation?



Why would you use Crowdstrike on Ubuntu? Is because of a real security concern, or abiding to regulations (thou shalt have an antivirus) or else?


I was given to understand that Crowdstrike provided some protection from unvetted export of data. I'm not sure that data would be useful without the rare domain expertise to use it, but I wasn't shown the risk analysis. And then someone else demands and gets ssh access to GitHub. Sigh.


Ask my IT dep. AFAIK it's audit related, safety-critical software


I think "compliance" would be a better word to use that "safety" when it comes to a lot of "security" software on computers.

And I bring up the distinction because while compliance is "sometimes" about safety, it's also very often about KPIs of particular individuals or due to imaginary liability for having not researched every possible "compliance" checkbox conceivable and making sure it's been checked.

Some computer security software is completely out of hand because its primary purpose is to have the appearance of effectiveness for the exec whose job is to tick off as many safety checkboxes as they can find, as opposed to being actually pragmatically effective.

If the same methodologies were applied to car safety, cars would be so weighed down by safety features, that they wouldn't be able to go faster than 40km/h.


Just to be safe, of course! In my org they try to rollout sentinel one on every ‘endpoint’ regardless of operating system.


Probably only a violation if you distribute the linked result. Not if you only install it.


How would you install it without them distributing it?


They mean distributing Linux + the module together. Like e.g. shipping the Nvidia kernel module alone is fine, but shipping a Linux distro with that module preinstalled is not fine.


Two different "it". As an analogy: selling pizza Hawaii is dicey, but you can sell pineapple slices and customers can add those to their pizza themselves.


> We can't migrate our workstations to Ubuntu 24.04 because Crowdstrikes

Should you upgrade before 24.04.1 is released? It's scheduled for August 15.


IIRC, about a 12-18 months ago CrowdStrike was recruiting for a development with eBPF skills.


The generally accepted (but not well tested) legal position is that it's ok to have a proprietary kernel module that is dynamically loaded.

You can, for instance, ask a running kernel if it is "tainted" by having loaded a non-GPL module.


Last time I dealt with HP, I had to use their fakeraid proprietary kernel module which "tainted" the kernel. Of course they never open-sourced it. I guess it's not necessary.


GPL exported symbols are the ones that are thought to be so tightly coupled to the kernel implementation that if you are using them, you are writing a derivative work of the kernel.


Yeah that was also my understanding, and I can't imagine a av module able to intercept filesystem and syscalls to be only using non-core symbols. But of course you never know without decompiling the module


> and I can't imagine a av module able to intercept filesystem and syscalls to be only using non-core symbols.

I can, considering that you can do that from user space using strace. Or ebpf which is probably the actual right way to do this kind of thing.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: