Comment on CrowdStrike BSOD Root Cause Analysis Release

Following the initial incident response, CrowdStrike recently released this more in-depth Root Cause Analysis (RCA).

The link leads to a preview and the actual RCA is written as a 12 page PDF.

In my opinion, this RCA is designed more for public relations than to clearly state the problem. Which is rather to be expected, because I don’t think there is a good reason why this magnitude of fallout could happen in this way.

First, the reports hide the very obvious mitigation of the following points: model instances should have been deployed last, when they should have been first. It also feels like they deliberately put a lot of domain-specific details to lull the reader to sleep before getting to the final mitigation points 🔴

CrowdStrike also glossed over another important detail which is their kernel code. This statement is repeated in the previous report and this RCA quick response content is configuration data; it is not kernel code or driver, but the fact that the data is used by kernel code and actually caused a problem means it should be treated the same way. The mitigation here should be to look at the entire architecture and make sure the absolute minimum code is running in kernel mode. I assume this is a trick because it will be costly or put them in a bad light 🤷