Kernel level spyware

[SunshineGardenSmell]

My employer is forcing me to install cloudstrike falcon spyware that operates at the kernel level. It will report back all activity.

I am going to put this in a VM and do my work in the VM. Would both Oracle VirtBox and KVM offer the same level of protection against this kernel level spyware? I know KVM operates off the same kernel.

(assuming the VM is compromised and I only want to protect the host)

 

[Deleted member 111282]

My employer is forcing me to install cloudstrike falcon spyware that operates at the kernel level.

Why and for what purpose?

 

[f33dm3bits]

Find a different employer, a company who doesn't trust their own employees is not a company you should want to work for.

 

[Deleted member 111282]

Find a different employer, a company who doesn't trust their own employees is not a company you should want to work for.

On top of that, depending on the jurisdiction, your boss could be breaking the law if that spyware is used on the employees or clientele

 

[Old Tom Bombadil]

Crowdstrike (not cloudstrike) looks like a legitimate company providing various computer security tools to large and well-known enterprises. Falcon looks to be one such tool that they offer. Their services are not cheap, but they claim to help protect against data breaches, ransomware, and other nasties. You should try to understand why your company desires this protection.

That doesn't mean your employer can't use it (or other tools) to spy on you. If they provided you the computer, they own it and can do what they want.

If they require you to install it on your personal computer, I would buy a cheap second-hand laptop that is only used for work to install it on... keeping your private information clearly separate. In other words, if my fear were that great, I would not trust a VM to keep my data private either.

 

[LorenDB]

Crowdstrike (not cloudstrike) looks like a legitimate company providing various computer security tools to large and well-known enterprises. Falcon looks to be one such tool that they offer. Their services are not cheap, but they claim to help protect against data breaches, ransomware, and other nasties. You should try to understand why your company desires this protection.

That doesn't mean your employer can't use it (or other tools) to spy on you. If they provided you the computer, they own it and can do what they want.

If they require you to install it on your personal computer, I would buy a cheap second-hand laptop that is only used for work to install it on... keeping your private information clearly separate. In other words, if my fear were that great, I would not trust a VM to keep my data private either.

Agreed... I too have Crowdstrike at work and I think that you are out of place to push back against having it on your work machine. Businesses need to take security seriously and it's good that your company is doing so. @Old Tom Bombadil, you hit the nail on the head here.

 

[Condobloke]

Given the data breaches in Australia alone, over the past few weeks....having a tool such as CrowdStrike being used may well have safeguarded millions of peoples data......names addresses, licence numbers/details, passports, dates of birth.

Shame on the corporations who did not have such breach protection in place. i am looking at you, Optus and Medicare (Australia)

Whoever you work for, @SunshineGardenSmell, they are doing the right thing.

Support them.

 

[SunshineGardenSmell]

The morality of this irrelevant as I'm not switching employers over this issue alone. I'm being forced to put it on my personal computer.

Not a single one of these replies addresses the actual technical question about Oracle Virtbox vs QEMU KVM. I have a hard time believing this spyware can penetrate out of KVM. Do they both offer the same protection?

 

[Condobloke]

. I'm being forced to put it on my personal computer.

So, you are working from home. Doing whatever work your employer needs to be done in order for you to be paid.

I will leave others more versed in the "technical question about Oracle Virtbox vs QEMU KVM." to answer that query.

Essentially, you started the ball rolling by referring to CrowdStrike and Falcon as "spyware", and using rev up terms such as "forcing me".
You are working for the employer. He/she/it requires a great deal of security for the data involved.

 

[kc1di]

The morality of this irrelevant as I'm not switching employers over this issue alone. I'm being forced to put it on my personal computer.

Not a single one of these replies addresses the actual technical question about Oracle Virtbox vs QEMU KVM. I have a hard time believing this spyware can penetrate out of KVM. Do they both offer the same protection?

this is a quote form Red Hat on the subject of VM security. I would not bet on them being secure without your intervention and further steps.

1.1. Virtualized and Non-Virtualized Environments​

A virtualized environment presents opportunities for both the discovery of new attack vectors and the refinement of existing exploits that may not previously have presented value to an attacker. Therefore, it is important to take steps to ensure the security of both the physical hosts and the guests running on them when creating and maintaining virtual machines.

If you want to read further follow this link.
Though it's written mostly for servers but has implications for desktops also.
The best advise as someone has already said is to buy a machine strictly for work and keep your personal info off it.

 

[LorenDB]

The best advise as someone has already said is to buy a machine strictly for work and keep your personal info off it.

Indeed. I'd suggest asking your employer to provide you with a work machine.

 

[Old Tom Bombadil]

I have a hard time believing this spyware can penetrate out of KVM.

Virtual machine escape and Hyperjacking. Believe whatever you want.

Personally, I don't believe that Crowdstrike is corporate spyware... without more evidence than fear and suspicion. But, in the business that they are in, with a number of high-profile success stories listed on their Wikipedia page, they must be very competent with the inner workings of computers... maybe competent enough to escape your VM.

Good luck with whatever decision you make.

 

[wizardfromoz]

G'day @SunshineGardenSmell , from DownUnder.

Although you have been with us for 7 months, I'll enclose a snippet of information I often supply to beginners whom may expect of us more than we can deliver.

Just in case of any misapprehension on your part, we are not an official arm nor organ of Linux, just scored the dot org name - we are manned by volunteer staff who share a love of Linux and have varying skills in various departments.

That being said - unless any of us who use VMs have had experience with just what you are talking about, then we are unlikely to be able to give you better advice.

You may be best advised to get directly in touch with VirtualBox, VMWare, KVM and so on and ask them directly, to get an answer straight from the horse's mouth, as it were.

If you get a Yay or Nay, you could share it with us, if you would.

Good luck

Chris Turner
wizardfromoz

 

[Deleted member 111282]

You may be best advised to get directly in touch with VirtualBox, VMWare, KVM and so on and ask them directly, to get an answer straight from the horse's mouth, as it were.

If you get a Yay or Nay, you could share it with us, if you would.

If it comes straight from the horse's mouth, he wouldn't just get a nay, he'd get a NAYYYYY

 

[wizardfromoz]

Where's a groan button when you need one? But I'll pay that David.

 

[bob466]

My employer is forcing me to install cloudstrike falcon spyware that operates at the kernel level. It will report back all activity.

Now who does this remind us of.