ClownStrike, redux
July 20, 2024•512 words
It's funny that people are drawing exactly the wrong lesson from ClownStrike.
The lesson people draw: 'Windows shit, Linux/macOS wonderful', followed by the inevitable stupid fight about which exactly of Linux and macOS is the most wonderful.
The lesson people should draw: 'if you allow the clown privileged access to your systems you are a fool who should not be running a brick'.
'Ah', pipe up the chorus of smug neckbeard *nix weenies, 'but you see we never do that, because the architecture of the system you see, and drone drone whine mansplain drone ... drone'.
Shut up. Seriously, shut up.
Yesterday I built an Ubuntu VM. It wanted me to have something called 'Ubuntu Pro'. And there is documentation, and you can find this:
When a high or critical Linux kernel vulnerability is detected a livepatch along with a Livepatch Security Notice are issued. Systems that enable the livepatch client will receive and apply the patch, after it is made available. The livepatch will provide new kernel code replacing the vulnerable one, and will update the rest of the kernel to use the new code.
[My emphasis.]
Does that sound like allowing the clown privileged access to your systems to you? Because that's what it sounds like to me.
'Ah', the weenies pipe, 'but you can trust Ubuntu, and anyway everyone uses RHEL really'. Yes, of course you can trust Ubuntu, of course you can, they're never going to make a mistake because they're Ubuntu, right? And do you think IBM/RH aren't doing the same thing? Because they are.
And let's look at Qualys. Look at the cloud agent documentation and the Linux guide. From which
For PC scans, we require the sudo/root privilege. With non-root privilege, the PC report is unreliable and does not provide a complete covering of CIS&DISA policies.
['PC' is 'Policy Compliance'.]
And do you think the people who were running ClownStrike on their Windows systems weren't running it on their other systems too? Do you think it doesn't run as a privileged user there? Really?
And all of the critical financial infrastructure is going to be running one or more bits of this shit. And by now they're pretty much a RHEL/x64 monoculture. So that's good.
Who knew that letting the clown control your infrastructure means that you have to trust the clown, which is a bad idea? Who knew that letting the clown control your infrastructure means that the clown has a huge target painted on their backs and will be liable to attack by president Evil? This has already happened to Qualys.
ClownStrike was the world dodging a bullet. People have no doubt died, but probably not that many. Next time, or the time after, we won't dodge it. And then it will not be funny.
And yes, I know Windows is shit, OK? I do not allow Windows in my life. I know Windows didn't help in any of this. But that's not the point: the point is that, if you think this about Windows, you should not be running computers.