- OrangePi with HomeAssistant and PiHole.
- Old gaming PC turned 24/7 server with Jellyfin, V-Rising server
- Hetzner cloud with Matrix server for Messenger and Discord bridging.
- Synology NAS for SMB and sharing stuff with others through Synology Drive, which also serves as a seedbox for Redacted.ch, with Headphones and Transmission.
Mikina
joined 2 years ago
I'm not. I vaguely remember seeing it in some posts and comments, and it would explain it pretty well, so I kind of took it as a likely outcome. In hindsight, You are right, I shouldnt have been spreading hearsay. Thanks for the wakeup call, honestly!
I see a lot of hate ITT on kernel-level EDRs, which I wouldn't say they deserve. Sure, for your own use, an AV is sufficient and you don't need an EDR, but they make a world of difference. I work in cybersecurity doing Red Teamings, so my job is mostly about bypassing such solutions and making malware/actions within the network that avoids being detected by it as much as possible, and ever since EDRs started getting popular, my job got several leagues harder.
The advantage of EDRs in comparison to AVs is that they can catch 0-days. AV will just look for signatures, a known pieces or snippets of malware code. EDR, on the other hand, looks for sequences of actions a process does, by scanning memory, logs and hooking syscalls. So, if for example you would make an entirely custom program that allocates memory as Read-Write-Execute, then load a crypto dll, unencrypt something into such memory, and then call a thread spawn syscall to spawn a thread on another process that runs it, and EDR would correlate such actions and get suspicious, while for regular AV, the code would probably look ok. Some EDRs even watch network packets and can catch suspicious communication, such as port scanning, large data extraction, or C2 communication.
Sure, in an ideal world, you would have users that never run malware, and network that is impenetrable. But you still get at avarage few % of people running random binaries that came from phishing attempts, or around 50% people that fall for vishing attacks in your company. Having an EDR increases your chances to avoid such attack almost exponentionally, and I would say that the advantage it gives to EDRs that they are kernel-level is well worth it.
I'm not defending CrowdStrike, they did mess up to the point where I bet that the amount of damages they caused worldwide is nowhere near the amount damages all cyberattacks they prevented would cause in total. But hating on kernel-level EDRs in general isn't warranted here.
Kernel-level anti-cheat, on the other hand, can go burn in hell, and I hope that something similar will eventually happen with one of them. Fuck kernel level anti-cheats.
Why does this need to be installed here when previously agentless technologies was sufficient
As someone who works in offensive Cybersecurity doing Red Teamings, where most of my job is to bypass and evade such solutions, I can say that bypassing agent less technologies is so much easier than agented ones. While you can access most of the logs remotely, having an agent helps you extremely with catching 0-day malware, since you can scan memory (that one is a bitch to bypass and usually how we get caught), or hook syscalls which you can then correlate.
Oh, an unknown unsigned process just called RWX memory allocation, loaded a crypto binary, and spawned a thread in another process that's trying to execute it? Better scan that memory and see what it's up to. That is something you cannot do remotely.
From what I've heard, didn't the issue happen not solely because of CS driver, but because of a MS update that was rolled out at the same time, and the changes the update made caused the CS driver to go haywire? If that's the case, there's not much MS or CS could have done to test it beforehand, especially if both updates rolled out at around the same time.
From what I've heard and to play a devil's advocate, it coincidented with Microsoft pushing out a security update at basically the same time, that caused the issue. So it's possible that they didn't have a way how to test it properly, because they didn't have the update at hand before it rolled out. So, the fault wasn't only in a bug in the CS driver, but in the driver interaction with the new win update - which they didn't have.
I wouldn't call Crowdstrike a corporate spyware garbage. I work as a Red Teamer in cybersecurity, and EDRs are bane of my existence - they are useful, and pretty good at what they do. In the last few years, I'm struggling more and more to with engagements we do, because EDRs just get in the way and catch a lot of what would pass undetected a month ago. Staying on top of them with our tooling is getting more and more difficult, and I would call that a good thing.
I've recently tested a company without EDR, and boy was it a treat. Not defending Crowdstrike, to call that a major fuckup is great understatement, but calling it "corporate spyware garbage" feels a little bit unfair - EDRs do make a difference, and this wasn't an issue with their product in itself, but with irresponsibility of their patch management.
Crypto is doing kind-of ok. But what about other blockchain apps and startups, or blockchain integrations into every tech imaginable? There were so many popping up, just like there are with AI now. Business models and use-cases that are based solely on the hype of the tech in question, without any consideration about whether it's actually a good fit for the tech. That is the point, and what it has common with AI and other "buzzwords".
I'm not sure about other countries, but here in Czech we actually have a mandatory subscription, that's absolutely bullshit.
So far, the law is that if you own any TV or radio, you have to pay monthly fee for public service broadcasters (national Czech TV). It's bullshit, the channels are full of ads anyway, and the shows they run and create is insultingly bad. Sure, it is important to have public service broadcasters that are not dependent on the state (because state-owned TV is reeaallly bad idea), but FFS can they just reduce costs and stick to news, instead of doing another stupid series, and stop forcing us to pay for something I don't care about or use?
You could just not pay the fee, if you state you don't have a TV capable of receiving it (which I don't). But now, they are changing the law that everyone who has any kind of internet-capable device has to pay the monthly fee, while also rising prices to something like 6 EUR per month. Fuck that and fuck them.
I never managed to get gamescope working on my Nobara. Any docs I should look into?
Many companies are still using Windows 7 machines or 2008 win servers, without MS17-010 patch. They don't really care about security that much, when it's inconvenient or slightly difficult to mitigate. They won't be switching entire architecture just for a few screenshots
I've just ben talking with my kind of tech illiterate gf about switching hers to Linux too, since she saw some articles about Copilot and Recall, which she hates with passion. Should I go for Mint or PopOS, assuming she does game on steam a lot (nothing with anticheat, thankfully)? She's working in a GSuite/Slack workshop, so there shouldn't be any problems with that. However, she does have NVIDIA GPU, which was the cause for most troubles for me.
I'm on Nobara, but that's because I've always preferred Fedora, and it isn't exactly a smooth sailing. Nothing major, but I suppose one of the two I mentioned would be a better choice.