How Should Cybersecurity Evolve After Crowdstrike's Outage? (cnbc.com) 108
Microsoft will meet with CrowdStrike and other security companies" on September 10, reports CNBC, to "discuss ways to evolve" the industry after a faulty CrowdStrike software update in July caused millions of Windows computers to crash:
[An anonymous Microsoft executive] said participants at the Windows Endpoint Security Ecosystem Summit will explore the possibility of having applications rely more on a part of Windows called user mode instead of the more privileged kernel mode... Attendees at Microsoft's September 10 event will also discuss the adoption of eBPF technology, which checks if programs will run without triggering system crashes, and memory-safe programming languages such as Rust, the executive said.
Wednesday Crowdstrike argued no cybersecurity vendor could "technically" guarantee their software wouldn't cause a similar incident.
On a possibly related note, long-time Slashdot reader 278MorkandMindy shares their own thoughts: The "year of the Linux desktop" is always just around the corner, somewhat like nuclear fusion. Will Windows 11, with its general advert and telemetry BS, along with the recall feature, FINALLY push "somewhat computer literate" types like myself onto Linux?
Wednesday Crowdstrike argued no cybersecurity vendor could "technically" guarantee their software wouldn't cause a similar incident.
On a possibly related note, long-time Slashdot reader 278MorkandMindy shares their own thoughts: The "year of the Linux desktop" is always just around the corner, somewhat like nuclear fusion. Will Windows 11, with its general advert and telemetry BS, along with the recall feature, FINALLY push "somewhat computer literate" types like myself onto Linux?
Maybe it's time for a teardown/rebuild (Score:4, Insightful)
Re: (Score:1)
An argument for ditching old Windows entirely a rebuilding from scratch yet again came up with a discussion I had on Slashdot a little while ago. Owning property is key to making money. Software has been advancing too rapi
Re: (Score:3)
Windows 7 had many of the same core issues that later Windows versions had, the big problem is that later versions basically were "lipstick and shaving of a pig" to make it look different but in no way become better.
However if you (you as in the cybersecurity industry, CIOs and CEOs, not necessarily poster above) think that software like Crowdstrike equals cybersecurity you are definitely on the wrong track. What I see is that cybersecurity has to come from the bottom layers in the architecture and avoid pu
Re: (Score:2)
I for one think you're right, the fragility has become exposed.
Key base components need the extreme care to be done right.
It's a matter of incentive.
Re:Maybe it's time for a teardown/rebuild (Score:4, Insightful)
Re: (Score:3)
It wasn't even a windows bug.
When your architecture is insecure by design, I'd argue that it is a Windows bug, just the same as there have been bugs in the design for various protocols, rather than in the specific implementations of those protocols.
Re: (Score:2, Insightful)
1) CrowdStrike's crap also caused crashes in Linux in previous months (more than once!)- it just wasn't covered in the media as extensively and far fewer people noticed.
2) The architecture of most popular Desktop Linux stuff is just as insecure as Windows in an environment where users clicking through warnings to get pwned is still considered a Windows "zero day" exploit: https://research.checkpoint.co... [checkpoint.com]
If the victim continues to ignore the warning (as the victim thinks he/she is opening a PDF), the victimâ(TM)s machine will eventually get hacked â" the âoeopenedâ file is actually a malicious .hta file being downloaded and executed.
I'm sure such users will still find some way to run malware on Linux - click through warnings etc. Wind
Re: (Score:1)
Re: Maybe it's time for a teardown/rebuild (Score:2)
Most non-enterprise Windows installations (where end users are not supervised by IT staff) are run from accounts with administrative rights, and an ignorant end user clucking through warnings can easily pwn the entire system. Conversely, most Linux installations are run from non-root accounts, and an ignorant end user can pwn his own account at worst.
That's why Windows is fundamentally more insecure than Linux, and yes, changing Windows with Linux would greatly improve security.
Re: (Score:2)
Re: Maybe it's time for a teardown/rebuild (Score:2)
Imagine needing to open an IT ticket and wait for three days because you need to update your IDE to a later version to fix a bug.
That's just an excuse for a three day vacation. If it happens often enough, it just means your CIO selected a shitty tool suite. Just make sure that the 'bug' isn't something like 'IDE takes tabs as well as spaces. And tabs give me PTSD.' And your boss isn't tech savvy enough to recognize the b.s.
Re: Maybe it's time for a teardown/rebuild (Score:2)
As master Yoda would say:
If so exceptionally well the whole system works, why does Microsoft make seminars and summits about revamping Windows security?
Re: (Score:2)
1) CrowdStrike's crap also caused crashes in Linux in previous months (more than once!)- it just wasn't covered in the media as extensively and far fewer people noticed.
Sure, but that was due to an implementation bug in those distros, rather than a design flaw in the OS itself. Both are bugs, to be sure, but Windows was "working as intended" whereas Linux was not in that instance. After a quick patch, that particular issue won't happen again in Linux, whereas it will keep happening on Windows until this approach is changed.
Re: (Score:2)
When your architecture is insecure by design
So what you're saying is we should ban BSD and OSX as well? I mean they let administrators load kernel modules. KERNEL MODULES! How horrible. Can you imagine an operating system letting administrators run code at that level? We can't do that. Too risky.
From this point forward absolutely everyone needs to only run Android with a read only system partition. It's the only way to be sure.
Yes this comment is snark and facetious. I hope it gets the point across at how silly the idea is that just because a system
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Can't be done.
The value of Windows is the backwards compatibility. That only exists because the old code from the old versions of Windows is still there. The new versions add new code to do the same things in new (more efficient, less buggy) ways... but the old code is still there just waiting for a system-call from an old program.
Wont be done.
Microsoft has moved on from Windows. The profits from Windows are enough to keep it going... but it is no longer how they make their money. They will sell Windows,
Re: (Score:2)
Run your old apps in an emulator.
Re: Maybe it's time for a teardown/rebuild (Score:2)
Run your old apps in an emulator.
Good luck with that. Some of the bits and pieces needed to run a Windows app are tightly bound to legitimate Windows installations by strict licensing terms.
I support some PLC apps which depend on Windows HMIs. Which in turn depend on some IE6 DLL. The HMI doesn't actually use the DLL. It just checks to make sure it is there. So you bastards don't try running it on anything other than Windows.
I've gotten the HMIs to run on Wine. But a minimal install of that includes grabbing DLLs from various places and
Re: (Score:2)
If we're fantasizing bullshut, why not just everyone switch to Linux .. get all the enterprise application developers (Adobe, Autodesk, Siemens, PTC etc.) and game developers to ditch Windows. Should be easy enough to send an email to the CEO.
Re:Maybe it's time for a teardown/rebuild (Score:5, Insightful)
WTF? This has nothing to do with building windows from the ground up. Crowdstrike put a binary blob parser in ring0.
What does that have to do with Windows? You could do the same in any OS.
Moronic.
Re:Maybe it's time for a teardown/rebuild (Score:4, Insightful)
Crowdstrike put a binary blob parser in ring0.
No. The *USER* put a binary blob parser in ring0. This seems to be something that a lot of the people here are missing. A system isn't insecure simply because the user can run software it approves to run at elevated privileges. Literally all non-mobile, non-vendor-locked down systems allow this.
And frankly, on Slashdot, home of the "Secure boot is just taking ownership away from you" crowd it is hugely disappointing to see people suggest that we need to rebuild OSes in a way to prevent the ability to run code at the kernel level. I agree with you we need to preserve the ability for users to decide what their computers do. It's moronic to suggest otherwise.
This isn't a security problem. There's no such thing as a security problem when an administrator needs to approve the installation of software. The problem there is who you choose as a trusted partner, and Crowdstrike ... well they have a history.
Re: Maybe it's time for a teardown/rebuild (Score:3)
The fact that most Windows installations run some sort of "security software" while most Linux installations do not, MUST have something to do with Windows.
Re: (Score:2)
Re: Maybe it's time for a teardown/rebuild (Score:2)
Linux doesn't require you to run apt as root. Maybe Debian/Ubuntu/Mint/etc. do, but not Linux.
Also, you actually CAN use apt do download a .deb package as a non-root user, and then use dpkg to install the package in your home directory, again as a non-root user. So Windows has no advantage here.
Re: (Score:1)
Re: (Score:2)
I can already hear the groans of "it will cost so much money" and "what about compatability with (some obscure or legacy software)" "This will introduce new bugs and security issues" , but they are already fighting a losing battle
Sure, but since you just want to hand wave everyone else's concerns, you can be the one to test it in perpetuity and develop all of the required functions needed by all of their customers.
INB4: But why should I....
Because you are the one making these demands and not caring at all about anyone else's needs. You go ahead and make it, we'll wait. If it's any good, we'll adopt it.
has code in it that is 40 years old, and no one person really knows how it all works.
they should offer a lean Windows that is fresh and rebuilt from the ground up. Or maybe Microsoft just needs to go the way of Standard Oil.
Ah, yes, because it's too old for zoomers to figure out thus we must throw it in the bin. After all why would we bother to lear
Re: (Score:2)
Windows itself wouldn't be that hard to rebuild. You already have a set of API calls, so the trick is to have newer apps use a new API, and older programs have their API virtualized. This way, Windows can be moved to a relatively, small, lightweight subset.
As for security, the days of slapping some utility to watch all I/O and sift through processes is over. This needs to be built into the OS. For real time threats, the OS should have the ability to "subscribe" to signed repositories (the repos need to
Re: (Score:2)
That is probably the only way to do it. But it needs to be done right, for example how Apple did it. If MS writes a new kernel and surrounding infrastructure, they will just mess it up again.
Re: (Score:2)
True and obviously there was a time when many operating systems did not have multi processing, process isolation, protected memory, memory randomisation, etc. Now that it's clear that the security methods have become damned if you do, damned if you don't scenarios, maybe it's time to take the OS microkernel, chipset, boot etc. to a new level.
Re: (Score:1)
Whoever wins we loose (Score:2)
The world is no doubt going to clamour for more "safeguards" to prevent such an incident happening again. What are safeguards? Well of course the inability to run certain software with certain functionality on your device. Lock the OS down - for your own protection of course. More limits, more code signing. more control - but not for you.
The worst part is that a disappointingly large number of people here on Slashdot have been asking precisely for this, simply because a few computers went down once in the p
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Don't deploy to millions of computers without doing a canary deployment. Just don't. It would get you fired from most large scale companies, besides Twitter which firings are random and depend on Musk's chemical state.
Yeah, that was absolute stupidity. You really have to wonder what kind of incompetent management structure they must have that would allow that to happen.
Re: (Score:2)
The number and frequency of computers that went down leaves out an important leg of the tripod:the severity of the failure. In this particular case, it was pretty damn severe, so some safeguards to make sure it doesn't happen again are justified.
No it doesn't. On the scale of things that happened, for the most part other than Delta Airline's own incompetence, it was little more than a bad day at the office. If anything we have shown with some degree of clarity that civilisation can deal with a computer outage of this scale just fine.
so some safeguards to make sure it doesn't happen again are justified.
There are safeguards. Crowdstrike didn't install itself. The OS enforces security by means of having the administrator control what runs on the system. Choose the correct people to partner with, people who have appropri
Re: (Score:1)
Locking down Windows wouldn't be so bad; it's a gaming OS. Maybe it could even be a stable business OS, and company-owned devices are going to be locked down regardless.
Re: (Score:2)
company-owned devices
The premise here is that it is no longer company-owned, it becomes 100% MS sanctioned. After all we're talking about restricting what administrators can and can't run.
Windows is already locked down. Crowdstrike didn't install itself. The question is do you want your OS (gaming or business) to be an OS that only runs Microsoft approved software? Because that's precisely what we're talking about - limiting software functionality by locking down the OS.
Re: (Score:2)
I could see a lot of organizations that don't do anything unusual with their computers wanting exactly that. They want laptops that open Outlook and Salesforce. They don't care what their antivirus' relationship to Microsoft is.
The guys who need to build custom funky drivers to interface with CNC machines or whatever can build that on Linux, which is what they should have been doing in the first place.
Re:Whoever wins we loose (Score:5, Interesting)
The world is no doubt going to clamour for more "safeguards" to prevent such an incident happening again. What are safeguards? Well of course the inability to run certain software with certain functionality on your device. Lock the OS down - for your own protection of course. More limits, more code signing. more control - but not for you.
The worst part is that a disappointingly large number of people here on Slashdot have been asking precisely for this, simply because a few computers went down once in the past 2 decades.
A canary deployment and rolling release would have caught the issue before it made it out to all of their customers.
CrowdStrike is fundamentally incapable of delivering software in a safe manner.
There is no way that anyone should have allowed Crowdstrike software on enterprise business critical systems.
The failure was not because of Crowdstrike. It was that Crowstrike was allowed to deploy random software without an incremental deployment and reporting of how that deployment had gone.
There is no way CrowdStrike should have been authorized to be deployed. It doesn't meet basic best practices of large scale deployments.
The Chief Security Officers of every company that had an outage from CrowdStrike should be explaining to the board what failed to allow CrowdStrike to be approved and what they are doing to prevent similar software from being placed on the company's servers and if they can't explain that they should be terminated for incompetence.
Re: (Score:3)
There's a lot to this, and I imagine a lot of admins who warned about this sort of thing and were overruled. That doesn't absolve Crowdstrike who no doubt told those overruling higher-ups "Relax, TRUST me".
And, of course, there's probably a lot more admins out there who had insufficient experience to realize they should push back in the first place.
Re: (Score:2)
A canary deployment and rolling release would have caught the issue before it made it out to all of their customers.
Exactly, which speaks to my point: Crowdstrike doesn't install itself. It needs administrators to do that. The inability to install software running at ring-0 as a non-privileged user is already the only security measure we need. Anything more than that is a restriction of what "owners" can do with their system (yeah yeah, MS is the owner, you're just a product blah blah blah, we're talking about not making that worse here)
Re: (Score:2)
A canary deployment and rolling release would have caught the issue before it made it out to all of their customers.
Exactly, which speaks to my point: Crowdstrike doesn't install itself. It needs administrators to do that. The inability to install software running at ring-0 as a non-privileged user is already the only security measure we need. Anything more than that is a restriction of what "owners" can do with their system (yeah yeah, MS is the owner, you're just a product blah blah blah, we're talking about not making that worse here)
Once CrowdStrike is installed Crowdstrike has the ability to push any software they want onto your system and they contractually promise to only install specific software, but there is nothing to physically stop them from pushing out a crypto miner to all thirty million machines they have CrowdStrike on.
Compromise Crowdstrikes deployment infrastructure and you effectively have root on every machine that has Crowdstrike installed on it.
People agree to this because they need to tell their cyber insurance pr
Re: (Score:2)
Re: (Score:2)
I agree. I expect that eventually I will have one console-like PC for gaming and a Linux box for all other stuff where I actually want control and access. Most people will just have that locked-down device though.
The problem isn't cybersecurity (Score:2, Insightful)
Re: (Score:2, Interesting)
Idiotic. This has nothing to do with either MS or Intel. This has to do with CrowdStrike hiring complete idiot devs.
Re: (Score:2)
Why does windows require a third party AV solution?
Re: (Score:1)
An antivirus solution is essentially then required for any system which can download applications. Even Apple's walled garden iOS platforms are not immune to viruses, and they take an additional 30% cut of revenue.
Microso
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Smartphones, well I guess you haven't had to clean up Android phones that have been thoroughly trashed by somebody clicking on links, or rolled your eyes at the various exploits found on iOS.
How much of that cloud infrastructure is for accessing a browser to download files? Private clouds may restrict the websites that a person can visit on com
Re: (Score:2)
Windows needs AV because it's an attractive target. *Every* OS has vulnerabilities. But why would criminals go after an OS with a 4% desktop market share? They go where the people are.
Re: (Score:2)
b. The same reason every consumer OS does.
c. Windows needs AV because it's an attractive target.
d. Because Windows is crapware.
Re: (Score:1)
There is this thing in cybersecurity called the C.I.A. triad. Confidentiality, Integrity, and Availability. It is paranoia to forego the "Availability" for security. Benjamin Franklin might have something to say about giving up "essential liberty", it might be something about tossing your phone and laptop down the Mariana Trench. The Windows Platform no longer
Re: (Score:3)
Is Windows perfect? No. Is it somehow inferior in some specific way, to any other widely-used OS? No.
Certainly the CrowdStrike debacle doesn't point to a Windows problem. That's all on CrowdStrike. They managed to cause Linux panics too. https://www.theregister.com/20... [theregister.com]
Oh wait, is Linux crapware too???
Re: (Score:2)
Re: (Score:1)
One might ask what the point of APIs are, if nobody, including Microsoft, can use them? Who decides what APIs provide a competitive advantage to Microsoft, and what APIs merely serve the basic underlying functions of the operating system itself?
The di
Re: (Score:2)
Both Microsoft and Crowdstrike had the ability to mitigate this problem with a simple sanity check. When a kernel module loads and causes a BSOD, that information is logged including the module which caused the fault. Microsoft could have said hey, that module has caused us to bsod, let's not allow it to load next time and throw up a prompt and trigger events to let us know that software is malfunctioning much like they do with usb devices today.
Crowdstrike had even more ability to mitigate first through a
Re: (Score:3)
That's exactly what MS does... for ordinary kernel drivers. The problem is Crowdstrike made their driver a "boot-start driver" that, by definition, Windows considers required in order for the system to come up.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think you would really like reading the Frank Soltis book Inside The AS/400. Such a different way or doing things.
Re: (Score:2)
I agree it's not cybersecurity that's the problem. But it's also not MS / Windows. CrowdStrike also has has had incidents causing panics on Linux. https://www.theregister.com/20... [theregister.com]
idiots (Score:1)
This has nothing to do with cybersecurity, other than complete idiot devs making fundamentally bad design decisons: like putting a binary blob parser that isn't a battle tested ELF parser in fucking ring0.
Moronic post.
Re: (Score:2)
Binary blob parsers also have nothing to do with this. Parsing binary blobs isn't intrinsically more risky than parsing text strings. If the blob had been encoded as json, the crash would have happened in exactly the same way. The parser worked correctly, it was the data being parsed that was the problem.
Re: (Score:2)
Yes, parsing binary is intrinsically more risky; there are a ton more things that go wrong. But either way *don't put a parser in ring0*. How hard is this to comprehend?
Re: (Score:2)
Can you name a single thing that can go wrong with a binary blob parser, that couldn't also go wrong with a json blob parser? I doubt it.
The CrowdStrike issue was zeroes where there should have been data, leading to a NULL pointer. https://www.crowdstrike.com/wp... [crowdstrike.com] Those zeroes could have been represented in a json blob just as easily as in a binary blob.
Or are you now broadening your definition to say you shouldn't put *any* parser in ring0? If so, that's a more logical conclusion than to single out binary
Re: (Score:2)
Binary blobs in modern OS's are parsed by battle tested ELF parsers.
And yes, the surface area of a binary blob parser is going to be much larger than a text parser, which can throw out the vast majority of chars.
You might say, well, unicode make things complex: I would basically say that unicode is basically equivalent to binary blob parsing, and when I say "text" i mean 7 bit ascii.
Re: (Score:2)
You still haven't named something that can go wrong with binary blob parsers, that can't also go wrong with text parsers. Serialization is serialization, regardless of the format. As I already pointed out, the CrowdStrike issue would have happened in exactly the same way, if the data had been serialized to a json, or xml, or CSV blob, doesn't matter. If you deserialize a reference to data that doesn't exist, it's all the same regardless of the format.
And a character is a character, whether it's 7-bit ASCII,
Why can't it be both? (Score:2)
FINALLY push "somewhat computer literate" types like myself onto Linux?
While I've heard gaming under the SteamOS is doable, most of my games aren't through Steam (direct from game company or Humble Bundle and left overs from days before Steam). So I game in Windows and work in Linux in addition to DosBox and Wine for older games. What I'm getting at is that there is no reason why it has to be one or the other. With the ability to dual boot, I can run both on the same hardware.
Incidentally, besides being a nerd and being drawn to it anyway, the reason why I got pushed int
Re: (Score:1)
I did have some trouble with Need for Speed: Hot Pursuit under the EA Desktop App, as those games did not want to run on the Steam Deck properly. I think they do run better with the Steam version, but I have I no
Re: (Score:2)
That's beginning to look like a lot less attractive [slashdot.org] of an option these days.
This Re:Get rid of central points of failure. (Score:2)
No year of Linux (Score:3)
There is not going to be a sudden single event that brings around the year of the Linux. The Crowdstrike failure and all the crap before that never triggered it and you can do a whole lot worse and still nothing would change. There is too much money in the Windows sales channels and too much laziness with buyers.
Putting aside gaming and custom Windows software locked in users, most users will happy use a Linux distro like Mint if it is given to them all up and running but none will install it themselves (the ones who will have already done it). No sales channel, outside of Linux specialists, will offer it as there is nothing in their pocket for doing it and plenty to lose by not selling Windows.
The only things trickling up Linux desktop usage are:
- The rare companies that actually care about cyber security at the CEO level, not the "That is something the IT department can worry about" norm.
- Users who care enough about their computer to learn and try things, or have relatives who are tasked with keeping their systems running.
- People playing with Raspberry Pi and finding it is actually quite usable as a desktop these days.
Re: (Score:2)
- it is actually quite usable as a desktop these days.
Sorry, not yet. I recently had to manually clean out old kernel images on a Debian laptop because patcher had enough space to download but not unpack a new kernel version and about everything patch-related stopped working.
Re: (Score:2)
Re: (Score:2)
That is annoying in Debian. Even more so when you do not even use the distro kernels.
Systemic management failure needs to be fixed (Score:5, Insightful)
What needs to happen is all of these companies need to keep competent tech people on staff, and managers need to be punished for making bad decisions - such as allowing a critical update to go out unchecked. Or allowing such an update to come in to your network without another layer of checking. Or not having sufficient backup or contingency plans when systems go down.
Practically speaking, I think one real change that is needed, there needs to be a better, quicker, way to rapidly automate recovery of computers that are so hosed they won't boot their normal OS.
Blaming Microsoft for all of this is kind of like blaming the construction next door to Champlain Towers South for the building collapse. There is MUCH more to it than that. In both cases, the real culprit is a deep systemic management failure to make sure things were and are designed properly, built properly, maintained properly, and that problems are corrected before disaster hits.
But, you know, that all costs money, so it won't happen. Instead some security company will put on a show, come up with some new buzzwords, throw some AI at it, and nothing will really change.
Well, the abvious answer (Score:2)
Well, the obvious answer is to ditch the Enterprise Microsoft Windows ecosystem. But politics, lined pockets, cronyism, etc... will ensure business as usual. Linux can easily replace the infrastructure for now. Windows is obviously (and then barely) only suitable for home personal use.
Re: (Score:2)
It shouldn't evolve (Score:1)
Punting to user mode is not a solution to this particular problem. If your security software stops working the natural consequence of that should be a total lack of system availability. Doesn't matter if it doesn't crash or runs in user mode.
Microsoft should focus on process isolation and similar shit so that people can have more assurances about what software can do rather than infinite piling on of band aids.
Not a cybersecurity issue (Score:5, Insightful)
This is about a vendor with bad testing and deployment practices.
Oh, so MS makes you sign your ring 0 driver to ensure reliability? No problem, put the important stuff in a separate config file that doesn't have to be signed, and is downloaded to every client in the world all at once. What could possibly go wrong? Oh wait, it did. And this wasn't the first time, just the most widespread.
Like any company that sells things, you've got to go with a vendor that has a proven track record of reliability, not necessarily the cheapest.
Re: (Score:2)
Like any company that sells things, you've got to go with a vendor that has a proven track record of reliability, not necessarily the cheapest.
That requires actual insight. A thing that is in short supply these days.
Instead of "lessons learned" (Score:2)
Instead of "lessons learned", I've been calling it "instructions ignored" for years now.
When you are 'forced' by manglement to cut corners for cost or time reasons etc despite saying to them this is a risk then it really [*****] me off when there's a post project lessons learned session and all the same things come out.
Why call it Cybersecurity when it was bad code..? (Score:2)
Towards Quality (Score:2)
Wednesday Crowdstrike argued no cybersecurity vendor could "technically" guarantee their software wouldn't cause a similar incident.
Yeah, but they could "technically" guarantee their software wouldn't cause an incident in the same pathetic way as Clownstroke, where they didn't check input and just did what the file said. You cannot do that just in case you have an error, let alone an attack on your update distribution system. You must validate input before doing things based on it, and the more important those things are, the more important it is to do that.
We don't need to make all software developers liable for all the code they write
With MS and Crowdstrike dead (Score:2)
These asshoples messed it up and keep messing it up. It is time to make an example of them and maybe the future will look a bit better.
No funny? (Score:2)
On this story I'm seriously disappointed by the lack of Funny. Ask again later?
Microsoft already tried this... (Score:2)
It was flagged by the EU as anticompetitive, as Microsoft itself would not have use such APIs, but could do things in the kernel than other companies couldn't. But the cat is out of the bag already. Apple already has clamped down on kernel space in MacOS. No third party drivers, it's all user mode extensions. Yes, security companies have discontinued their MacOS products because of this. No EU fines or investigation here.
Maybe this time around, this will go better as this made it obvious what happens when y
Opinion (Score:2)
I think people have missed the actual bug here. The problem was NOT that they shipped a buggy update. The problem was they had zero ring control and feedback for their releases.
In hindsight it's really obvious that you should roll out a change to 0.001% of systems, 0.01%, 0.1%, 1%, etc with a pause to listen for the kaboom between each release. They weren't doing that. Clicking the ship it button to send a change everywhere all at once is a big oversight.
Re: (Score:1)
What would the return on investment be for targeting a mere 1% or 2% of targets?
How many of those MacOS users would be unable to manage their money such as to have it stolen?
How many Linux users would be sufficiently digitally illiterate to glean any return?
What you will find is that the weakest link in security i
Re: (Score:2)
That you get modded down for this entirely accurate statement should give you your answer: Most people are deeply stupid and have not caught on what a deep and unfixable problem Windows and Microsoft in general has become.