Bonum Certa Men Certa

A Week After a Worldwide Windows Outage Microsoft is 'Bricking' Windows All On Its Own, Cannot Blame Others Anymore

posted by Roy Schestowitz on Jul 26, 2024,
updated Jul 26, 2024

Vintage Etched Drawing Of Man Face

A look back at a week of lousy press coverage, Microsoft deceit, and lessons to be learned

A week ago the "world stopped" (the world increasingly depends on digitalised systems to operate properly) because Windows systems had broken down. Since then, Microsoft's evolving "blame game" was the subject of scorn and criticism and then, about a day ago, Microsoft had nobody to blame but itself.

It is very good to have waited a whole week. Intentionally, too. We wanted to see the dust settling somewhat, then take a fresher look (back). Today is the day to debunk some common myths and show examples.

As an associate put it, "there are some kinds of news which take time to investigate and get to the bottom of. One thing though was Microsoft was protesting so much that one could almost guarantee they were trying to cover for several problems."

There were problems other than a bad patch. The media lost sight of these.

First, a little background though.

A few days ago in the FSF's mailing lists we saw this message by Akira Urushibata on "Microsoft and Crowdstrike". It's a decent summary:

The massive computer outages of Friday July 20 were caused by an update of security software. Microsoft computers were affected but the source of the problem was an update supplied by a third-party security firm named CrowdStrike. Headlines showed the names of both Microsoft and CrowdStrike. I believe this was necessary because only computers running Microsoft software were affected: the information was valuable for those dealing with the problem. However the wording probably led the unsuspecting to believe that both firms were responsible. The articles which followed the headlines typically said that Microsoft had identified the problem and was helping those affected.

I would like to know about the relationship between Microsoft and CrowdStrike. It is quite likely that security software requires privileges that the OS maker has to provide through a special agreement. The two companies are separate, yet they are likely in a cooperative relationship of some sort.

If Microsoft was not at all responsible for the ordeal, how do we explain its generous attitude? One possible explanation is that it understands that it does not dominate the OS field any more. Customers are likely to consider alternatives including GNU/Linux after this ordeal and it would not be good policy to be callous toward their anxiety.

I would like to hear your opinions. Thank you in advance.

---

CrowdStrike and Microsoft: What we know about global IT outage - BBC News

https://www.bbc.co.uk/news/articles/cp4wnrxqlewo

This is an example of an article from a major news article that says that Microsoft is working on mitigating the issue, without reporting whether it has said anything about its own responsibility.

Two days ago Denis 'GNUtoo' Carikli responded as follows:

On Sun, 21 Jul 2024 10:13:55 +0900 (JST)
Akira Urushibata <afu@wta.att.ne.jp> wrote:
> I would like to know about the relationship between Microsoft and
> CrowdStrike.  It is quite likely that security software requires
> privileges that the OS maker has to provide through a special
> agreement.
I understand this outage a bit differently.

Personally I don't think that the company names are very relevant here. As for the kind of software (anti-malware): it needs to have the most privileges possible to work properly as that kind of software is supposed to detect things like rootkits.
To make such an outage you need: - A lot of people and/or organizations to rely on some software that is updated automatically. - To have the producer of that software issue an update that prevent computers from booting (you don't necessarily need privileged software for that, bad luck and a bug, let's say in a filesystem driver for instance, could trigger that too, but if it's more likely if the software is privileged already). The update could either be malicious or be an accident.
It could even happen with free software in the future if some (new?) free software businesses follow a business model that has all these ingredients.
Now, with free software and the distribution model (what you get with a regular distribution like Trisquel, and that you don't get with Appimage / Flatpak), the update of a software (like xz for instance) doesn't happen instantaneously, and the maintainer(s) of a given software (like xz) cannot force users nor distributions to install the latest update.
So that leaves a lot of space for testing and for finding issues, so in case of issues not everything goes down at the same time, and some people/organizations will often find the issue before others.
The bigger issue: ----------------- Note that more broadly the free software distribution model differs a lot from nonfree OS, Android, or things like Appimage / Flatpak, so even extremely basic threat modeling can differ a lot.
A key difference is that in the distribution model, applications are basically trusted not to be malicious, and a lot of security systems / features are built around that assumption (the privilege drop, or hardening at compilation time are good examples of that).
This reduces a lot the attack surface. If we look at Microsoft Windows instead, there people download and run random binaries, so the attack surface is way bigger and too complex to really secure in practice.
And if you look at the Iphone instead, in practice it practice manages to remove all users freedom (you can't even run the program you want there without Apple allowing it) without even managing to guarantee users's privacy due to the business model of many applications in the appstore.
The issue is that the more we follow a model where we basically give all control to the developers of applications, the more we are exposed to issues that plague these operating systems (Windows, IOS, Android).
And the only thing in the way with this model is probably the sandbox, and the fact that not everybody runs the same piece of nonfree or badly written software.
For instance you could in theory have an application that for some reason become malicious (it already happened to some libraries packaged with NodeJS), and is updated automatically (this is by design), and manage to escape sandboxing (it only needs 1 exploit, that is not trivial to do though), then exploit buggy out of tree (free or nonfree) WiFi drivers or nonfree firmwares (that is probably easy to do), exploit bugs inside nonfree UEFI (that is probably easy to do but probably doesn't scale well to a big variety of devices) and completely take control of the computers at a very targeted or large scale.
And then if that starts happening, you might be tempted to start relying on the same kind of security mechanism nonfree operating systems use to avoid such issues (secure boot, remote control from the company that manages the operating system / app store, using anti-malware software that detect threats, etc). Not only this approach doesn't work well for users freedom in practice, but then you also end up being vulnerable to incident like the Crowdstrike one you mentioned.
So the only solution I know to avoid all that mess is probably to use what works well: free software, ideally of good quality (to limit both the attack surface and the need to always update), and to get it though some distribution (like Trisquel, Guix, etc) that don't give all powers to the developers of applications / OS components.
As for updates some distributions (like Guix or Trisquel) also provide tools to track CVEs, and some use backported security fixes (like Trisquel).
And also a good practice if you run some infrastructure with it is also to reduce the attack surface as this tend to work well (not run services that you don't need, etc).
Denis.

Yesterday the FSF wrote about it also:

Let's be clear: in principle, there is nothing ethically wrong with automatic updates so long as the user has made an informed choice to receive them. For instance, it's perfectly understandable that a public library might not want to pore over kernel changelogs; they simply want to receive the update and move on with their work. At the same time, software bugs happen. Free software developers know this better than anyone. The Linux(-libre) kernel does not have some mystic immunity to them. What our community does have is a social structure that, most likely, would have rectified the situation swiftly.

What free software offers is a diversity of choice. Although we can understand how the situation developed, one wonders how wise it is for so many critical services around the world to hedge their bets on a single distribution of a single operating system made by a single stupefyingly predatory monopoly in Redmond, Washington. Instead, we can imagine a more horizontal structure, where this airline and this public library are using different versions of GNU/Linux, each with their own security teams and on different versions of the Linux(-libre) kernel. For example, a library in Vietnam wouldn't necessarily be dependent on an American software company for their day-to-day work.

As of our writing, we've been unable to ascertain just how much access to the Windows kernel source code Microsoft granted to CrowdStrike engineers. (For another thing, the root cause of the problem appears to have been an error in a configuration file.) But this being the free software movement, we could guarantee that all security engineers and all stakeholders could have equal access to the source code, proving the old adage that "with enough eyes, all bugs are shallow." There is no good reason to withhold code from the public, especially code so integral to the daily functioning of so many public institutions and businesses.

Those are Free software perspectives on the whole thing.

psydruid (in IRC) said that the Microsoft response became, "this can totally happen to Linux too, so it doesn't make a difference whether you run Windows or Linux"

psydruid said this was "a great way to shut down the discussion and it's so transparent too".

We saw many dozens of bad articles, almost 100 in English alone. We cannot respond to all of them (it would not scale), but instead we'll take a subsample. There are many overlaps there anyway.

Last week we saw this article saying "Microsoft deployed hundreds of engineers [sic], experts [sic] to restore services," in effect misrepresenting Microsoft as an authority rather than the cause of the problems, as an associate noted.

And apropos lying and lies, the associate said, this Microsoft-funded site repeated a lie. As the associate explained: "It is a cybersecurity breach because it affected Availability of said systems. Silicon Angle and the other minions of Microsoft are lying about the scope of the incident in that way, which calls into question the rest of their coverage."

He said "it exemplifies the lies and talking points that most of the other sites a now also taking up and peddling in place of investigative reporting."

"It should not escape notice that even though the claim is 'only' 8.5 million systems, those 8.5 had been installed in mission-critical locations by bad actors usually on the inside of the victim institutions yep it's still too soon to bring all that up."

Separately he said that "the spin of the Windows + CrowdStrike collapse can be addressed sooner. It is very important that their roles in the causing problems retain the spotlight and that it not be spun as an "IT" or a "tech" thing. Those are the headlines this [past] weekend."

"I'm seeing dozens of such articles in this batch and none that are not spin any more. Microsoft is also conflating server with desktop -- again. That can be addressed now without naming Microsoft, since you have an ongoing series about market share. Desktop is a separate market from the server market (also the mobile market, and the super computer market) and it would help prepare things to establish just how minuscule Microsoft market share is in regards to servers. Not just the physical numbers but in regards to the number of services. Remember that on a normal server, the ratio of services to hardware is many to one. On Windows gimmicks, the ratio of services to hardware is one to many. Inverted."

"Does "1% of all Windows machines worldwide" equate to "100% of all Windows servers worldwide"?"

As this one blogger put it: "The company did release a statement with “Technical Details ”. This is a big nothingburger. They are confirming what we already knew. Nothing is said about the server side, root causes and the chain of process failures that led to this incident."

A later talking point developed at the start of the week and was brought up again hours ago in IRC (so it's not a dead talking point yet). It's the "rumor (Twitter) spreading the idea that 2009 enforcement of anti-trust laws by the EU are to blame."

Microsoft tried shifting attention to many parties, including the EU and "Linux". In the above, it has been noted, "the account behind post 38 is probably some kind of astroturfer or professional troll, based on established posting history [and further to] the disinformation in comment #38 [...] Microsoft is flailing about grasping at straws for any kind of distraction: "EU gave CrowdStrike keys to Windows kernel, Microsoft claims". [...] Tom's Hardware now in on the disinformation: "Microsoft's EU agreement means it will be hard to avoid CrowdStrike-like calamities in the future" (that was about 5 days ago, only 1-2 days after it had all started).

And "apropos CrowdStrike," the associate said, "aside from the general failure of Microsoft products and their lack of suitability for any given environment, there is also the problem of desktop monocultures, as exemplified by this crap."

The outages resulted in fatalities, but the media probably stopped short of saying that for fear of being sued (as it would get Microsoft sued by the victims' families, seeing how Windows failures at medical facilities resulted in deaths). Not just BSoDs but actual deaths happened.

As an associate puts it: "The way of thinking which locks products and services to closed protocols and closed formats allows the creation of deadly monopolies. (See earlier very old articles on Microsoft as a national security threat in that regard.)"

"Few to none of the articles point out that there are other systems than Microsoft and that these other systems remain unaffected. Apropos other systems the London Stock Exchange still runs Linux, IIRC? If so, that would be basically the only reason it is still up and running."

"Day 2 of the CrowdStrike fallout sees what looks like a concerted effort to spin the problem as a 'tech' or 'computer' problem rather than something caused by and for Microsofters."

"Microsoft was named in the initial round. The second round is covering for them. The third round will likely be a repeat of spinning all praise for other systems or, worse, open standards and formats as purely schadenfreude only. Same ol' Microsoft, same ol' Microsoft media playbook."

"Availability is a key component in the standard definition of security. So by normal definitions these two incidents are major security incidents."

That's partly in response to "CrowdStrike CEO George Kurtz said “this is not a security incident..."

"The CEO lies through his teeth," the associate said. 'Security = availability, integrity, and confidentiality. CrowdStrike + Windows destroyed the availability aspect, and through NTFS collapsing due to unclean shutdowns, the integrity is going to fail too (Schade raised that last point in his blog today)."

Giving more examples of deficient or poor press coverage, this one is - as per the associate - "spinning it as a 'tech' or 'computer' problem rather than a dual problem of desktop monopolies compounding a larger problem of unfit software."

There's also "Global tech [sic] outage eases after widespread disruption, new focus seen on risks" (it's Windows, not "tech").

The LA Times said "Faulty software update causes global havoc for airlines, hospitals, governments", but this "confuses common with popular and confuses desktop with all computers," the associate noted. The New York Times made similar errors as "security is not an aftermarket add-on," the associate said, and "this incident drives that fact home".

Here is evidence of the deaths caused. However, it is "more spin, while Windows kills," the associate said. This one was a "good title," however "empty article", the associate said, instead promoting this piece ("The XZ advantage over CrowdStrike").

"Headlines ought to be reading: "CrowdStrike outage: Firms rush to adopt Linux and drop Windows"," the associate said, "and quotes ought to be reading: "... noting that the issue behind the outage really was security incident severely affecting availability if not also data integrity."

Microsoft-connected sites were so desperate to change the focus to "Linux" as Azure had gone down (as usual), ransomware impacted Windows a great deal (people lost sight of that because of the outages). A side effect of all this is that people are losing sight of yet more Microsoft failures.

I myself expressed my opinion mostly in editorial comments in the sister site (as the press went along), so many of the above comments aren't mine. That's fine. A plurality of interpretations helps too.

What can be learned from all this? First, Microsoft refuses to accept accountability, no matter what. It then tries to darken the reputation of the alternatives that are also the solutions. As for the media, it is either corruptible or inflicted with cowardice, and moreover it's too lazy to properly scrutinise false claims or investigate the facts. Parroting perceived authority is so much cheaper.

So people carry on dying needlessly and Microsoft blames "EU" and attacks "Linux" (neither of these caused hospitals to cease operations).

Tree Gravestones

Other Recent Techrights' Posts

Wine Took the Bait (Mono), Soon Starts the Microsoft Circus With the Banhammer
large companies are exercising more control over the thing/s they claim to "donate" to
[Meme] From Checked by Three Examiners to Gone (Granted) in 3 Seconds!
twice as many monopolies with 10% less staff
EPO Staff Representatives Explain the Latest Corruption at the EPO in a New Paper
Owing to corrupt management the EPO has resorted to corporate crime or organised crime designed to benefit large corporations. Who will pay the price? Everybody else in Europe.
 
[Video] Why Hurd and MINIX (or BSD) Didn't Get Ahead of Linux?
We've converted the video into WebM to make it more accessible
Dr. Richard M. Stallman (RMS) Explains That a Free/Libre Program Running on Somebody Else's Server (e.g. Clown Computing) Leads to Freedom Deficit
"when you are doing your computing you must not entrust that to somebody else's server because users including you should have control over their own computing but you can never have control over what somebody else's server does because somebody else installs software in that computer and configures it and thus decides what computing it is going to do."
ircII Has Turned 35
Don't listen to people who say IRC is "dead"
[Meme] Code of Conduct in WINE
irritate productive developers...
Number of Gemini Capsules Rising Closer to 4,100, Certificate Authority "Let's Encrypt" Down to 1.1%
Some time soon the Certificate Authority "Let's Encrypt" will probably fall below 1%
Richard M. Stallman Explains Why the Web Becoming a Pile of Proprietary JavaScript Programs (Not Pages to Render) Does Harm to Web Users
"The web was designed to let users control how that data would be rendered but businesses didn't like that."
Links 13/09/2024: Crackdowns on Bloggers, Deepfakes, Internet Archive‘s Wayback Machine Now in Google Search
Links for the day
RedMonk: September the Month of the Mouth of Redmond (Still)
the usual storyline, i.e. what's not controlled by Microsoft's proprietary GitHub simply does not exist
Links 13/09/2024: Disinformation in Focus, End of Presidential Debates (Trump Accepts It Hurts Him)
Links for the day
Mono as a Double-Purpose Trojan Horse Inside Wine
And now they can oust founders and top contributor with a CoC
This is How Bad Things Have Become at Microsoft
We're seeing nearly 80 reports in English about those layoffs
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, September 12, 2024
IRC logs for Thursday, September 12, 2024
Links 13/09/2024: Recorded Future Bought by MasterCard, Bits of Freedom Turns 25
Links for the day
Gemini Links 13/09/2024: Towards Aristocratic Personal Computing, Technology and Privac
Links for the day
Once Again, Mass Layoffs at Microsoft (Just Like Every Month This Year)
Reporting and articles trickling in (in recent hours)
Rumour: Layoffs in IBM Consulting Today
IBM has had many layoffs lately
Microsoft Has Infiltrated the OSI and Its Moles (Whom It Pays to Speak 'for' OSI) Control the Narrative
This is utterly grotesque
Saudi Arabia and Its Footprint in X/Twitter
a massive proportion of pro-ISIS accounts in Twitter were operated from Saudi Arabia or by Saudi Arabians
Links 12/09/2024: Apple Owes a Lot of Money, Repressions and Censorship of Activists Noted
Links for the day
Anniversaries Coming Up
Probably the funnest year of our lives, and definitely the most productive
In Europe, Vista 11 Grew Only 3% (Relative to Other Windows Versions) This Year
That's a huge problem for Microsoft
Google's YouTube Censorship Has Gotten a Lot Worse and Anti-scientific (for Commercial Reasons)
By today's standards, YouTube is not something RMS can (or would) use
Google Appears to Have Broken Every Single Instance of Invidious. It's a Wake-up Call, Please Stop Uploading Videos to YouTube.
Including videos of Free software events
[Meme] Video Uploads Improved
The tools are all in our self-hosted Git repository and the licence is, as usual, AGPLv3
Apple Event as Fine Example of the "IT" Circus
It's not clear if the enemy of Free software is a company like Apple is simply public ignorance that Apple keeps fostering
Imposters Inheriting Institutions
Dealing with the "imposter syndrome"
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, September 11, 2024
IRC logs for Wednesday, September 11, 2024
Gemini Links 12/09/2024: Clean Island and VCFMW19
Links for the day
Links 11/09/2024: EPO Patents Tossed Out by Courts, Software Patent Reveals Ford "Tech That Listens to Driver Conversations to Serve Ads"
Links for the day
More "Linux" SEO SPAM, Wrapped Up as Clown Computing, Composed by a "Bullshit Generator" (LLM)
linuxsecurity.com at it again this week
"Linux" and Linux.com Diploma Mill
The front page of Linux.com right now is the usual nonsense
[Meme] The Ponzi Scheme That Eats Rivals (by Paying Them to Stop Competing)
Why compete when you can bribe and defang antitrust authorities?
In 2006 We Had a Novell Problem and Now We Have Several Novells
Microsoft thorns inside the community
Richard M. Stallman (RMS) Debunks Misconceptions About What Free Software Means and Explains How It Works
Free software means people (including users and developers) exercise control over the program, not the programmers
Links 11/09/2024: ROOPHLOCH Report, Small Web Experiences, and Cohost Effectively Dead
Links for the day
Links 11/09/2024: Russia Enters Latvia With Drone, Truth Social Stock Crashes
Links for the day
Certificate Authority Let's Encrypt Has Fallen From 12% in Geminispace to Just 1.2% in Two Years (Capsules Usually Self-Sign Their Certificates)
Don't ask the imposters about security
The "IT Industry" is Full of Imposters (It's a Growing Crisis)
They often manage the companies
Richard Stallman Explains Stochastic Parrots (LLMs)
From his latest talk
The Toys of Today's Kids and Coordination Woes, Not to Mention a Lack of Social Skills
Too much time indoors, too much screen time
Dispelling the Notion That Microsoft is Political Left
Microsoft not only got bailed out (several times) by Donald Trump but also approached him to take over TikTok without paying for it
Linus Torvalds, the Son of a Politician, Tries to Stay Out of Politics (or Political Topics)
"I'm just a geek" has its limits in practice
Richard Stallman Still Deals With Politics
Stallman's gonna Stallman
GAFAM Not Invincible
The US has an election very soon and Microsoft is already bribing candidates for deregulation and favours, based on press reports
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, September 10, 2024
IRC logs for Tuesday, September 10, 2024
The Greatest Show on Earth (Buzzwords Circus)
What next? Being denied medical service because you don't have a Facebook account?
Gemini Links 11/09/2024: Happiness, Improvised Nebuliser, and olden Age of Palm OS
Links for the day