It's not really up to the companies. In this day and age, everyone is a target for ransomware, so every company with common sense holds insurance against a ransomware attack. One of the requirements of the insurance is that you have to have monitoring software like Crowdstrike installed on all company machines. The company I work for fortunately doesn't use Crowdstrike, but we use something similar called SentinelOne. It's very difficult to remove, and it's a fireable offense if you manage to.

No doubt mandated so that the NSA can have a backdoor to everything just by having a deal with each one of those providers.

I think there's a Ben Franklin quote that applies here. "Those who would give up essential liberty, to purchase a little temporary safety, deserve neither liberty nor safety."

Just remember that the liberty was of the government to tax people for military spending.

Or that Security Monitoring is well established field that has actually given a lot of results in preventing various attacks.

Highly likely, yes.

Yup, its also a requirement to be compliant for security standards like NIST.

What NIST requirement is that?

It is kinda implied throughout SP 800-171r3 that EDRs will make meeting the requirements easier, although they are only specifically mentioned in section 03.04.06

Most corporate places I've encountered over the last N years mandate one kind of antivirus/spyware combo or another on every corporate computer. So it'd be pretty much every major workplace.

Just because everyone does it doesn't not make it a dumb idea. Everyone eats sugar.

If the average corporation hates/mistrusts their employees enough to add a single point of failure to their entire business and let a 3rd party have full access to their systems, then well, they reap what they sow.

I think you have to look beyond the company. In my experience, even the people implementing these tools hate them and rarely have some evil desire to spy on their employees and slow down their laptops. But without them as part of the IT suite, the company can't tick the EDR or AV box, pass a certain certification, land a certain type of customer, etc. It is certainly an unfortunate cycle.

This goes way higher than the average corporation.

This is companies trying desperately to deliver value to their customer at a profit while also maintaining SOC 2, GDPR, PCI, HIPAA, etc. compliance.

If you're not a cybersecurity company, a company like CrowdStrike saying: 'hey, pay us a monthly fee and we'll ensure you're 100% compliant _and_ protected' sounds like a dream come true. Until today, it probably was! Hell, even after today, when the dust settles, still probably worth it.

Sounds like the all too common dynamic of centralized top-down government/corporate "security" mandates destroying distributed real security. See also TSA making me splay my laptops out into a bunch of plastic bins while showing everyone where and how I was wearing a money belt. (I haven't flown for quite some time, I'm sure it's much worse now)

There's a highly problematic underlying dynamic where 364 days out of the year, when you talk about the dangers of centralized control and proprietary software, you get flat out ignored as being overly paranoid and even weird (don't you know that "normal" people have zero ability or agency when it comes to anything involving computers?!). Then something like this happens and we get a day or two to say "I told you so". After which the managerial class goes right back to pushing ever-more centralized control. Gotta check off those bullet point action items.

They fixed that. Now you can fly without taking your laptop out, or taking your shoes and belt off. You just have to give them fingerprints, a facial scan and an in-person interview. They give you a little card. It's nifty.

And the most important part: pay them an annual subscription fee.

Sincerely,

PreCheck Premium with Clear Plus Extra customer

there's nothing socially repressive about having airline travel segregated into classes of passengers at all, nope, this is completely normal /s

I go through the regular TSA line out of solidarity and protest. Fuck the security theater.

My response was intended as sarcasm. But eventually, I don't think it will be a two-tiered system. You simply won't be allowed to fly without what is currently required for precheck.

And fwiw, I don't think the strong argument against precheck has to do with social class... it's not terribly expensive, and anyone can do it. It's just a further invasion of privacy.

Precheck is super cheap, it's like less than $100 once per 5 years. Yes, it is an invasion of privacy, but I suspect the government already has all that data anyway many times over.

Totally with you. Pre-check is an ugly band-aid on a flawed system.

> showing everyone where and how I was wearing a money belt

I only fly once every couple years, but I really hated emptying my pockets into those bins. The last time I went through, the agent suggested I put everything in my computer bag. That worked a lot better.

That's what I usually do, except when they ask you to take out all your devices and put them in bins individually.

I see this was downvoted by some swede who doesn't think this stuff can happen in sweden.

It can. It doesn't happen to you because you're white, blonde, and can pass through a scanner without triggering it.

At my work in the past year or 2 they rolled out Zscaler onto all of our machines which I think is supposed to be doing a similar thing. All it's done is caused us regular network issues.

I wonder if they also have the capability to brick all our Windows machines like this.

Zscaler is awful. It installs a root cert to act as a man-in-the-middle TCP traffic snooper. Probably does some other stuff, but all you TLS traffic is snooped with zscaler. It is creepy software, IMO.

> installs a root cert

Wow, I didn't know that, but you're right. It even works in Brave, which I wouldn't have expected:

    % openssl x509 -text -noout -in news.ycombinator.com.pem 
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                6f:9e:b3:95:05:50:6e:4d:03:d6:0b:a9:81:8c:2f:c3
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, ST=California, O=Zscaler Inc., OU=Zscaler Inc., CN=Zscaler Intermediate Root CA (zscalertwo.net) (t) 
            Validity
                Not Before: Jul 13 03:45:27 2024 GMT
                Not After : Jul 27 03:45:27 2024 GMT
            Subject: C=US, ST=California, L=Mountain View, O=Y Combinator Management, LLC., CN=news.ycombinator.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)

It seems to hijack the browser somehow, though, because that doesn't happen from the command line:

    % openssl s_client -host news.ycombinator.com -port 443
    CONNECTED(00000005)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = "Y Combinator Management, LLC.", CN = news.ycombinator.com
    verify return:1
    write W BLOCK
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Y Combinator Management, LLC./CN=news.ycombinator.com
       i:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
     1 s:/C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
       i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2

Ah, yeah, they gave us zscaler not too long ago. I wondered if it was logging my keystrokes or not, figured it probably was because my computer slowed _way_ down ever since it appeared.

Zscaler sounds like it would be a web server. Just looked it up: "zero trust leader". The descriptiveness of terms these days... if you say it gets installed on a system, how is that having zero trust in them? And what do they do with all this nontrust? Meanwhile, Wikipedia says they offer "cloud services", which is possibly even more confusing for what you describe as client software

Somebody upthread pointed out that it installs a root CA and forces all of your HTTPS connections to use it. I verified that he's correct - I'm on Hacker News right now with an SSL connection that's verified by "ZScaler Root CA", not Digicert.

ZScaler has various deployment layouts. Instead of the client side TLS endpoint, you can also opt for the "route all web traffic to ZScaler cloud network" which office admins love because less stuff to install on the clients. The wonderful side effect is that some of these ZScaler IPs are banned from reddit, Twitter, etc, effectively banning half the company.

Zero trust means that there is no implicit trust whether you’re accessing the system from an internal protected network or from remote. All access to be authenticated to the fullest. In theory you should be doing 2FA every time you log in for the strictest definition of zero trust.

There is a NIST paper on it. It's requirement for government systems after they suffered major breaches.

https://www.nist.gov/publications/zero-trust-architecture

Now check how many zero trust companies have offering that remotely compare to that.

It’s a tool to “zero trust” your employees

They are a SASE provider, I am assume they offer a beyond Corp style offering allowing companies to move their apps off a private VPN and allow access on the public internet. Probably have a white paper on how they satisfy zero trust architecture.

I certainly would have zero trust in a system that man in the middles all my traffic

See the recent waves of ransomware encrypting drives and similar attacks. They cause real cost as well and this outage can be blamed on crowdstrike without losing face. If you are in the news for phished data or have an outage since all data is encrypted blaming somebody else is hard

Once you get legal involved the employee becomes the liability, not the asset.

Well it’s not aimed at IT people and programmers (though the policies still apply to them), it’s aimed at everyone else who doesn’t understand what a phishing email looks like.

Do you think that IT and programmers are immune to these attacks?

Nope, but more trustworthy to that stuff than not.

This is the whole point of 1984. It's not some overbearing government entity that surveils their citizens; the citizens bring it on themselves.

They willingly relinquish their right to privacy in service of protection against a potential threat, or the appearance of one.

These comments make me think that both you and the commenter you replied to have never read 1984.

It's anti totalitarian propaganda. There is IIRC not much about how Airstrip One came to be, it's kinda always been there because the state controls history. People did not ask for the telescreens, they accept them.

The system in the book is so strongly based on heavy-handed coercion and manipulation that I actually find it psychologically implausible (though, North Korea...). The strength of the book, I would say, is not its plausibility, but the intensity of the nightmare and the quality of the prose that describes it.

So there's the control freak at the top who made this decision, and then there are the front lines who are feverishly booting into safe mode and removing the update, and then there are the people who can't get the data they need to safely perform surgeries.

So yeah, screw 'em. But let's be specific about it.

I think the question this raises is why critical systems like that have unrestricted 3rd party access and are open to being bricked remotely. And furthermore, why safety critical gear has literally zero backup options to use in case of an e.g. EMP, power loss, or any other disruption. If you are in charge of a system where it crashing means that people will die, you are a complete moron to not provide multiple alternatives in such a case and should be held criminally liable for your negligence.

Agreed on all points, but if we're going to start expecting people to do that kind of diligence, re: fail-safes and such (and we should), then we're going to have to stop stretching people as thin as we tend to, and we're going to have to give them more autonomy than we tend to.

Like the kind of autonomy that let's them uninstall Crowdstrike. Because how can you be responsible for a system which at any time could start running different code.

What I don't get why nobody questions how's OS that needs all third-party shit to function and be compliant, gets into critical paths in the first place??

I think various auditing standards are forcing it, regardless of whether you think its a good thing or not.

i'd think you'd want some sort of controls/detection on infrastructure level machines.

above comment is very naive.

This kind of thing is required by FedRAMP. Good luck finding a company without ending management software who is legally allowed to be a US government vendor.

If you stick to small privately held companies you might be able to avoid ending management but that's it.. any big brand you can think of is going to be running this or something similar on their machines -- because they're required to

Paranoid? Phishing is very successful.

If my job didn't include clicking random links I get via email all the time, I'd be much more successful in not clicking random links I get via email.