It's not just CrowdStrike – the cyber sector is vulnerable

Original Article ↗ Hacker News Discussion ↗

Economic and Organizational Drivers

  • Security and robustness are seen as costly, hard, and earnings-reducing, so many executives favor short‑term gains and checkbox compliance.
  • Cybersecurity purchasing is heavily “box checking”; controls are often offshored, checklist‑driven, and leave little room for critical thinking.
  • Some argue many “security problems” are really basic operations and maintenance failures (asset inventory, correct configs, ongoing upkeep).

Single Points of Failure & Centralization

  • CrowdStrike is cited as a textbook single point of failure; similar concerns are raised about ZScaler‑style cloud proxies and other centralized “security” clouds.
  • Individually, it’s rational for companies to outsource to a big vendor; collectively, it concentrates systemic risk.
  • The broader move to cloud/SaaS is criticized for uncontrolled costs, loss of control, and global blast radius when something fails.

Automatic Updates, Testing, and Rollouts

  • Some propose avoiding automatic updates; others note that manual updates leave systems unpatched and exposed (e.g., log4j delays).
  • Consensus in the thread: automatic updates are necessary but must be staged, canaried, heavily tested, and have reliable rollback.
  • A lack of basic pre‑deployment testing and telemetry is blamed for the scale of incidents like this.

Software Quality, OS Design, and Complexity

  • Many see modern software as low quality, over‑complex, and written without security in mind; “complexity crisis” is mentioned.
  • There’s debate over whether bug‑free code is possible; formal methods are raised but seen as expensive and limited by the quality of specifications.
  • Windows is called a “security dike” of patches; others argue all mainstream OSes are fundamentally inadequate against capable attackers.
  • Suggestions include capability‑based OS designs, strict sandboxing, locked read‑only systems, and low‑permission “allow by default nothing” models akin to iOS/Android/ChromeOS.

Endpoint Security / EDR Critique

  • EDR/AV products (CrowdStrike, Defender, others) are described as intrusive, kernel‑level “corporate malware” that hurt performance, stability, and sometimes reliability more than they help.
  • Some see them mainly as compliance/CYA tools rather than effective security, yet acknowledge the need for some endpoint visibility.
  • Examples are given of AV crippling Linux VMs, databases, Kubernetes clusters, and file‑heavy workloads; performance overheads of 30–50% are reported.

Compliance, Regulation, and National Security

  • Frameworks like SOC2, SOX, HiTrust are described as giving a false sense of security; certification standards for OS security are portrayed as very low‑bar.
  • Some argue cybersecurity is national security and propose more government‑run or military‑style red‑teaming, with legal protection for researchers.
  • Others note agencies like NSA/FBI sometimes disclose vulnerabilities, but also hoard exploits, creating tension between offense and defense.