German Cyber Agency Wants Changes in Microsoft, CrowdStrike Products After Tech Outage (wsj.com) 50
An anonymous reader shares a report: Since last month's blue-screen deluge, CrowdStrike has published analyses of what went wrong and said it hired third-party security companies to review its product. Now, Germany's powerful cybersecurity agency is seizing the moment and hoping to rattle tech and cyber companies into altering their products to head off another mega-meltdown. In particular, the Bonn-based Federal Office for Information Security is taking aim at the access Microsoft gives security providers to its Windows kernel, a core part of its operating system. As well, the German agency is looking for fundamental changes in the way CrowdStrike and other cyber firms design their tools, in hopes of curbing that access.
"The most important thing is to prevent [that] this can happen again," said Thomas Caspers, director general for technology strategy at the BSI, as the agency is known. Leveraging the dread that filled Silicon Valley following the July outage, the BSI is planning to organize a conference this year gathering major tech firms, where it hopes they will commit to restricting access to the kernel, a change Caspers says is crucial to stopping similar failures. "We expect each company to be very specific about what they will do based on what we agreed on," he said.
"The most important thing is to prevent [that] this can happen again," said Thomas Caspers, director general for technology strategy at the BSI, as the agency is known. Leveraging the dread that filled Silicon Valley following the July outage, the BSI is planning to organize a conference this year gathering major tech firms, where it hopes they will commit to restricting access to the kernel, a change Caspers says is crucial to stopping similar failures. "We expect each company to be very specific about what they will do based on what we agreed on," he said.
When you criminalize kernel access... (Score:1, Funny)
...only criminals will have kernel access. And Microsoft, but I repeat myself.
app store only and 30% of all in app sales! (Score:2, Funny)
app store only and 30% of all in app sales!
How? (Score:5, Interesting)
I'm not sure how you build software like this without these risks. The only real fix is more testing and more software engineers which means lower profits.
Now would be a good time to undo Ronald Reagan's policy allowing stock buybacks. A huge part of the reason for stuff like this and the Boeing disasters is because money that should be getting invested is being diverted into stock buybacks. We were warned about this back in the '80s.
Re:How? (Score:4, Funny)
As I understand it the problem is this kind of software needs to run close to the metal
You haven't been following these conversations at all, clearly.
The problem is, Microsoft was using direct kernel access for these same functions and didn't want to stop, so the EU forced them to open up the same access to others as it was anticompetitive of them. It's much like when we found out that Office apps were using undocumented functions, and that everyone else was having to use functions which were literally those same functions with a delay loop added.
I'm not sure how you build software like this without these risks.
You do it by providing an API for the purpose instead of having to use a smattering of features that programs shouldn't really have access to in the first place. But Microsoft isn't really competent to do that, so they decided not to.
Re: (Score:3)
Microsoft with it's own kernel access could have been the cause of a major snafu. You can't just blame this on third parties having access when Microsoft is quite well known for bugs and bad security.
So I understand all that (Score:2)
You can't just give somebody an API for that because as soon as you do the possibility of that API being compromised comes into play. The reason you get access at this level is because it's very very difficult to compromise at that level unless you're talking about operat
Re: So I understand all that (Score:2)
"But it doesn't change the point that I made, which is that without that direct kernel access you can't really write the kind of security software we're talking about here."
The point you made was wrong, and repeating it doesn't change that.
Define 'needs'? (Score:2)
Is it easier to see what happens with zero security preventing your mistakes? Sure. Seems more like the two companies don't want to define where the limits are, and create API's for access. I'm sure it's cheaper and easier for both companies.
Yes, transitioning between kernel and user mode has costs... Seems like something to optimize for, both in hardware and software. I know Microsoft moved the graphics API into user mode for a bit (I assume for reliability/security), but shifted it back when the cost
Re: (Score:3)
I'm not sure how you build software like this without these risks. The only real fix is more testing and more software engineers which means lower profits.
Software like this can be built by controlling the actions the software would take yourself and exposing the software's ability to do them only via an API rather than letting it tamper directly with the kernel.
But the thing is... there's a more fundamental question here: Microsoft provides both users and software companies enough rope with which to hang themselves. Do we want to progress to an even more Apple-ification of the world, where you're locked out of parts of your own OS "for your security"?
I don't
Re: (Score:2)
Exactly this. It's why I mostly blame CrowdStrike. With great power comes great responsibility.
Re:How? (Score:4, Insightful)
It's the profit gamble. In the risk analysis it's about whether they can ship it with substandard testing with a low cost today, versus having a giant snafu with low possibility but an immense cost. Remember long term profits aren't often taken into consideration when modern business practice for traded companies is always about driving the next quarterly results. Often you can't even blame executives for this because this is the direction they are given by the board of directors.
99.9% of the time it works every time...
I have worked in the medical industry where quality is key and even some easily fixable bugs not causing any harm result in a major call to arms. There are regular third party audits on procedures and quality. It can be a legal issue if they screw up. And so I am surprised when I am at non-medical companies who all claim that they are striving for higher quality, with posters about quality on the walls, who treat quality as a hindrance.
But even for something that's not mission critical, even if it's literally a child's toy, lower quality means lower profits. There are no shortcuts to good quality.
Re: (Score:2)
As I understand it the problem is this kind of software needs to run close to the metal and it needs to blue screen when something like this happens because that's a sign someone might be tampering with it. I'm not sure how you build software like this without these risks.
If only there were something wanting to secure its Year on The Desktop out there that brings into question the stronghold of Microsoft OS that creates a need to even install products like Crowdstrike.
(This would be a damn good time for all companies to realize their other massive dependencies.)
Re: (Score:2)
I know there are commercial Linux servers running Crowdstrike as well. Are you saying the Linux OS doesn't need Crowdstrike? Could you explain why it would not make use of similar kernel-level malware protection? I mean sure, you could not wear the condom, but it sounds like there *is* risk. Why is the Linux risk of getting infected by the type of malware Crowdstrike protects against so much less than the Windows one in this case? Are the Linux admins of the servers that use Crowdstrike protection doing it
Re: (Score:3)
As I understand it the problem is this kind of software needs to run close to the metal and it needs to blue screen when something like this happens because that's a sign someone might be tampering with it.
Your understanding is incorrect.
Re: (Score:2)
I'm not sure how you build software like this without these risks.
It's a good thing you are not the one who has to architect it properly then isn't it? The only thing preventing this from being architected correctly is that Microsoft wants to maintain an advantage.
Information Security is taking aim... (Score:1)
....Make up your mind? (Score:2, Interesting)
So wasn't it the EU that pushed MS to give equal access to third parties for protection? It ultimately seems like a case of Microsoft OS isn't really appropriate due to architectural limitations and laziness.
Re: (Score:2, Insightful)
Re: (Score:3)
You guys are just "useful idiots". The reason for the crash wasn't that they had access to things that Microsoft would have hidden from them if it weren't for the EU enforcing competition. The dumbasses dereferenced a null pointer in kernel mode because their own update fed their own driver their own bad data. There are lots of kernel space drivers in Windows for performance reasons, and any one of them can have that kind of bug and crash the system. Windows was absolutely "designed for that", but somehow S
Re: (Score:2)
Because modern computing is all about Microsoft. Computer education is all about Microsoft. The majority of computing professionals today have never used an operating system other than Microsoft. Microsoft is treated by many like their the Bishop of Rome: infallible. Let's update that old saying now, "nobody ever got fired for recommending Microsoft".
Re: (Score:2)
Indeed. It is really quite repulsive and utterly dumb. People even think that Microsoft makes good products. How disconnected from reality can you be?
Re:....Make up your mind? (Score:5, Insightful)
When you require someone to give others access to something was not design for that, expect trouble. This is a classic example of EU regulators having no idea what they are doing. The EU bureaucracy is the most powerful and least accountable in the world.
Problem: Microsoft has an unfair competitive advantage because it gives its own software privileged access which it denies to other companies.
EU says: you must no longer have that competitive advantage. This is a completely reasonable ask! not at all evidence that EU regulators have no idea what they're doing.
How to fulfill the ask? (1) Microsoft rewrites its own software to no longer use that privileged access. Or (2) Microsoft packages up the access in a safe way so everyone can use it safely. Or (3) Microsoft gives other companies the same unsafe access that it enjoys.
Microsoft picked option (3) which I'm sure was the easiest quick fix. If there were an engineering way to do (1) or (2), that would have been better for the world but would have cost more effort and risk to create in the first place.
I'm not sure what you're talking about (Score:2)
But we all know Microsoft is so famous for great security so I guess why would anyone want a third-party solution to monito
Re:....Make up your mind? (Score:5, Insightful)
This is a classic example of EU regulators having no idea what they are doing.
This is a classic example of Microsoft engaging in antitrust, the antitrust being stopped by a government, and Microsoft taking the dumbest and least secure way out of the situation possible.
The court didn't have the power to force Microsoft to do things intelligently, because they were only regulating antitrust, and also because Microsoft has never demonstrated any ability to do that to begin with.
Re: (Score:2)
Indeed. Like a petulant child, MS make the dumbest fix they could.
Re:....Make up your mind? (Score:5, Insightful)
This is a classic example of EU regulators having no idea what they are doing.
False. The EU regulator required only an even playing field for functionality preventing Microsoft from locking away features of an OS for themselves. What the EU did was objectively both good and right. The fact that someone fucked it up is on them, not the EU.
Hint: Open source software provides far more latitude to fuck up your own system in weird and wonderful ways than Microsoft does, when are you going to complain about the fact I can compile and run my own Linux kernel?
Re: (Score:2)
BSI is Germany. It largely disregards Brussels and does things on its own. Especially so on matters that relate to the national security of Germany. Their view on EU Commission is something of "bureaucratic clowns that we fund and tolerate, but can also ignore at will".
So there is no "mind" to be made up here. Europe or EU is not a single organization. It also has no reason or incentive to have a common opinion on issues like that.
BSI has serious influence over big cloud providers, so don't underestimate it
Re: (Score:2)
So wasn't it the EU that pushed MS to give equal access to third parties for protection? It ultimately seems like a case of Microsoft OS isn't really appropriate due to architectural limitations and laziness.
No the lazyness here is on part of Crowdstrike. Microsoft actually do provide APIs to safely do what Crowdstrike does, but it wasn't used. Now here's the kicker: For the off chance that once in 20 years a cataclysmic event causes a bunch of computers not to work for a couple of hours, is it worth being locked out further from your own OS?
I applaud Microsoft's "lazyness" here. The ability to control a system at a low level would often be considered the stuff of OpenSource software, and now we're throwing the
Re: (Score:2)
No. What the EU "pushed" for is that Microsoft stops its illegal practices. The law says that competitors must have equal access to any AOI that MS uses for its own competing products. MS tried to offer an API but failed to make it credible it would limit itself to that API. Hence competitors complained. And then, instead of credibly limiting itself to that API, MS opened up the kerneld. The fault here is really fully with MS.
apps like this must allow full update timeing cont (Score:2)
apps like this must allow full update timing control on an per system level.
So you can have your own test, stage, prod, etc groups.
And not be update when ever CrowdStrike pushes an update.
Even if they do will companies pay for the testing (Score:3)
We've built a system that requires endless growth in order to satisfy investors and that was fine when computers were due because there was always more and more and more growth from rolling out new computer systems and networks.
But we've basically done the computing equivalent of go west young man and we're done with that. The markets are t
how quickly we forget (Score:1)
https://www.theregister.com/20... [theregister.com]
So, is it just because this had a bigger impact that we care to do something about it in Windows only?
Re: (Score:2)
Re: (Score:2)
If you read the link, the Linux issue was in userland and it was a bug. That doesn't mean that ClownStroke could not create a kernel level panic. Sure, not the same issue exactly but very related. Makes no sense to try to harden one OS in the area and not look at other OSs that are used in a similar way.
Terms of Service like this can't continue (Score:3)
For starters, no one has ever read one, nor taken them seriously. Scroll the the bottom and press "accept".
But more importantly, if you sell bridge designing software, and say in the TOS, "not for designing or building real bridges"... yeah, that's a contradiction.
Which is it? IMHO, it's way past time that the courts ruled this into reality. You must accept liability for the prime purpose of your software.
You can't say our critical infrastructure protecting software won't protect your critical infrastructure.
Any Professional Engineers here? You wear liability. Comments?
Re: (Score:2)
Courts vary in how they interpret TOS. So it certainly means something. But what exactly it means is very much hidden in legal details in each jurisdiction and court system.
This one will take a while to go through the legal systems of each relevant nation, as most justice systems aren't authoritarian, and therefore have safeguards that slow it down.
Why does Windows need a 3rd party for security? (Score:2)
Is there a systemic lack of security?
Re: (Score:2)
Re: (Score:2)
Same reason why CrowdStrike makes same products available for Linux. There's demand for them.
Re: (Score:2)
Re: (Score:2)
Why does Windows need a 3rd party for security?
You already know or suspect:
Is there a systemic lack of security?
Yes.
Does the OS just need to be more reliable? (Score:2)
Meaning that 'any' failure could be recovered from instead...
We never did get to see a microkernel OS, and shifting as much into user mode was (I thought) part of the benefit there. Though maybe not for all versions.
We have a lot of 'virtualizing' happening, and have for a long time (should be cheap/efficient/reliable)... Couldn't the whole system be virtualized into multiple running machines, and you just shift to the one that works still?
Feels like the giants in charge have gotten lazy and are willing t
Re: (Score:2)
Meaning that 'any' failure could be recovered from instead...
At some point the kernel in any OS needs to decide whether going forward may cause more harm than producing an abend, something that even the Linux kernel does. The point at which that will happen depend highly on the OS and the failure, but the reality is that some failures cannot be recovered from.
Re: (Score:2)
L4 was the big advance as they realised how to make it small enough to sit in cache and so remove many performance penalties, I gather (but I'm no expert so that could be wrong).
We seriously need something worthy of trust down at the bottom layers, imho.
Of course there's plenty of other vulnerabilities, and maybe they dwarf any gains made by having a secure kernel... one for argument I guess.
Blame CrowdStrike (Score:2)
Mostly, this is on CrowdStrike. They're the idiots that didn't even include a simple CRC on the updates that would have prevented all of this. They also apparently included no testing whatsoever involved in pushing an update out. They didn't allow for local admins to control where and when the update actually deploys on the machines they're responsible for. They didn't implement a phased rollout during working hours that could have stopped this before every single machine was affected. In other words, Crowd
Germany isn't big enough (Score:2)
Germany isn't big enough to force this kind of change on Microsoft. Any successes that they have will end up in more misery for everyone and will not achieve the goals it sets out to do.
Microsoft is literally too large and too complete of a monopoly for any single State to take on... even the USA, where Microsoft exists is incapable of regulating their behavior.