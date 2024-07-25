We have ended up in a questionable state with "low-level tech influencer YouTube", if that’s the proper term for it. On the CrowdStrike exploit alone, I saw "explanation" videos that erroneously claimed:

Windows applications run in "ring 1" on x64,

The crash was caused by zeroes in a config file,

The page fault was caused by accessing a field off a null pointer,

User mode applications call kernel APIs by "raising an exception and waiting" for a kernel thread to “come along and look” at the arguments,

Two of these are obviously false. The other two are probably false, but at the very least, you would need to provide your own crash analysis clearly showing them to be true in order to claim that they were in an “explainer” video, since the publicly available information we have suggests they aren’t.

Of the “low-level” videos I saw on the CrowdStrike crash, I don't think I saw a single one that was able to accurately represent the facts as they were known at the time the video was recorded. Most also prominently featured blatant errors about basic Windows system details. These errors were so rudimentary that I trivially spotted them myself, despite never having written a single line of kernel-mode code in my life.

Bizarrely, some seemingly pulled-out-of-thin-air mistakes appeared in multiple videos. The “ring 1” error was declared in two separate videos that I saw, even though they were on separate channels and did not reference each other. Best case, this is because it is somehow an easy mistake to make, and both people made it independently. Worst case, one of the two watched the other’s video and, not knowing anything about how x64 works, recorded their own video pretending to be an expert and regurgitated the same errors.

This is a bad trend. People should not be posting “explanation” videos on YouTube if they have only a vague understanding of the thing they're “explaining”.

You will notice that I did not put up a video on this topic. The reasons for that are hopefully obvious:

I have never worked on Windows kernel drivers, so I do not know the subtle details that you wouldn’t get from just reading the x64 architecture manual.

I don’t have access to the CrowdStrike driver binaries, data files, or crash dumps, so I can’t reproduce the crash and inspect the disassembly myself.

To me, those are the minimum two requirements for an “explainer” video on this topic. If you can’t claim both of those, you have no business posting an “explanation” at the current time. You need to wait until a complete, verified, technical analysis is posted somewhere, with all the details, so we know what actually happened. At that point, if you’re actually a knowledgeable low-level programmer (which a lot of these people don’t seem to be, but that’s a separate issue), there’s obviously value in trying to represent those details in a more approachable way to a wide audience.

I myself am willing to occasionally put up an “explainer” video on something I don’t work on if — and this is the important part — there is thorough, existing work on the subject that is highly technical and could benefit from a more accessible presentation. For example, a while back I did a video on the GoFetch attack where I attempted to do just that. But I only felt comfortable taking a shot at that because we had an entire technical paper (with prior related papers) covering in minute detail exactly what was going on. Even then, I started the video with a big disclaimer explaining that I’m not a security researcher and was only covering what they disclosed in the paper.

I realize people like to hold themselves out as experts, even though they clearly aren’t, in order to try to build an audience and have a popular YouTube channel. But honestly, as I’ve said before, you aren’t going to make much money that way. Is a thousand dollars really so important to you that you’re willing to do widespread damage to the programming world by spreading erroneous information?

Plus, there’s other kinds of content you can make when there’s a hot topic like this that you don’t actually understand. You could have a guest on who does know something about kernel driver development, and have them explain it. You could make an “article reaction” video where you just bag on CrowdStrike for being terrible at deployment, which they very obviously are, and very much deserve.

There’s plenty of content you can make and put out in the world that can get clicks and views that doesn’t spread erroneous technical details in the guise of an “expert” “explainer” video . If you feel like you have to capitalize on a particular technical news event, do one of these other types of videos instead. A few tech influencer folks did exactly this, and they should be commended for that! They avoided making the situation worse.