Microsoft Blames European Commission for Major Worldwide Outage

[SanderEvers]

You seem to miss the point. People aren’t disagreeing with you about that. The point is that this is wholly within control of Microsoft, and has nothing to do with the EU. It’s Microsoft choice how they implement it, just do it in compliance with the rules.

No, MS has software that can bugcheck the kernel (JIT, etc.) which would require them under EU law to open up that control to other software vendors. Without that software malware would be able to get root access and destroy a system without Windows ever being able to do something about it. You NEED kernel level protection (Windows defender) in order to stop that. But then the EU says "Windows defender is like Norton antivirus (etc), so MS must open up the access to other software". And that is the issue. Windows defender should be seen as a part of Windows, and a required component of the kernel. But the EU disagrees with that.

 

[cyb3rdud3]

No, MS has software that can bugcheck the kernel (JIT, etc.) which would require them under EU law to open up that control to other software vendors. Without that software malware would be able to get root access and destroy a system without Windows ever being able to do something about it. You NEED kernel level protection (Windows defender) in order to stop that. But then the EU says "Windows defender is like Norton antivirus (etc), so MS must open up the access to other software". And that is the issue. Windows defender should be seen as a part of Windows, and a required component of the kernel. But the EU disagrees with that.

So Microsoft has a choice, change the design so they don't have a monopoly on that. That is the point. This is nothing new, they have over a decade to get themselves sorted. Nobody, including the EU, is saying you aren't allowed to deliver a secure system.

 

[Zest28]

I have the ear of some people with political power, and I absolutely let them know what I think whenever it comes up.

..and I will be sure to let them know that this is scapegoating and a company trying to blame it's mistake on anything but themselves when it's absolutely no one fault except themselves.

The EU had zero part in this. They should be praised for holding tech companies feet to the fire.

The EU is too blame here. If Windows was not forced to open themselves up as told by the EU, this wouldn't have happened.

Tim Cook warned about this.

 

[SanderEvers]

So Microsoft has a choice, change the design so they don't have a monopoly on that. That is the point. This is nothing new, they have over a decade to get themselves sorted. Nobody, including the EU, is saying you aren't allowed to deliver a secure system.

How will you ever have a secure system is anyone is allowed to run any code they want at any level of the OS? That is basically what the EU is saying. The Kernel should be closed for software that is not provided by the developer of the OS, but also the OS developer should be able to add software to the kernel.

You will always need something to check if the code that is about to run is safe. And there can't be competition on the code that runs that check.

 

[mrochester]

What has the EU mandated here? Is it competition in the user security software market, or is it competition in the kernel security software market?

One could argue that only one organisation should have access to the kernel (the OS developer themselves) but if it’s deemed anti-competitive for that company to do that because they are the dominant player then how do you square that circle?

 

[SanderEvers]

What has the EU mandated here? Is it competition in the user security software market, or is it competition in the kernel security software market?

One could argue that only one organisation should have access to the kernel (the OS developer themselves) but if it’s deemed anti-competitive for that company to do that because they are the dominant player then how do you square that circle?

Security shouldn't be ground for competition. It's like having multiple commercial police forces in one town. There is a reason why nobody does that.

 

[mrochester]

Security shouldn't be ground for competition. It's like having multiple commercial police forces in one town. There is a reason why nobody does that.

In theory yes, but that’s why I’m wondering what the EU has mandated.

 

[cyb3rdud3]

What has the EU mandated here? Is it competition in the user security software market, or is it competition in the kernel security software market?

One could argue that only one organisation should have access to the kernel (the OS developer themselves) but if it’s deemed anti-competitive for that company to do that because they are the dominant player then how do you square that circle?

By making secure API's that provide that controlled level of access required which are used not only by your software solution, but can also be utilised by others. And don't keep the monopoly on the insights and management provided. How they implement it is for Microsoft to decide. The rules for compliance are clear.

 

[SanderEvers]

In theory yes, but that’s why I’m wondering what the EU has mandated.

It's because they really don't understand ICT/tech and lobbyists.

 

[cyb3rdud3]

Security shouldn't be ground for competition. It's like having multiple commercial police forces in one town. There is a reason why nobody does that.

Arguably, when using equally cheesy analogies, one shouldn't be marking their own homework.

But also, having actually done this in secure environments, the Microsoft offerings aren't always the best, don't have the best signature updates, don't necessary integrate well in a SOC/NOC. There are many reasons why you'd want to layer your security posture.

 

[mrochester]

By making secure API's that provide that controlled level of access required which are used not only by your software solution, but can also be utilised by others. And don't keep the monopoly on the insights and management provided. How they implement it is for Microsoft to decide. The rules for compliance are clear.

Wouldn’t that still be the dominant player controlling what’s possible by means of API instead? Isn’t the point to remove the gatekeeper from being able to control how/what happens?

 

[cyb3rdud3]

It's because they really don't understand ICT/tech and lobbyists.

And it isn't their job to do that. Their job is to ensure the players in the common market aren't anticompetitive. And if they don't sort it out themselves, then they'll have to step in.

 

[SanderEvers]

Arguably, when using equally cheesy analogies, one shouldn't be marking their own homework.

But also, having actually done this in secure environments, the Microsoft offerings aren't always the best, don't have the best signature updates, don't necessary integrate well in a SOC/NOC. There are many reasons why you'd want to layer your security posture.

It's a cheese analogy, but it's also very accurate. Also the police isn't the best offering in security either. And actually Windows defender got a lot better when they started adding kernel protection to it.

And it isn't their job to do that. Their job is to ensure the players in the common market aren't anticompetitive. And if they don't sort it out themselves, then they'll have to step in.

Exactly my point. My idea is that legislation that affects a certain market should be vetted by that market before they can go in effect. And no, I am not talking about lobbygroups.

 

[The-Real-Deal82]

Good. EU needs to be held responsible for the hostility towards tech companies.

Held accountable? The EU aren't being hostile to tech companies, they have measures in place to prevent anti-competitive business practises. This applies to all companies, regardless of their market and is not confined to tech companies. Believe it or not, it's actually better for the consumer not to have monopolies and less choice. Maybe American's aren't as bothered, but in other parts of the World a free-market is much more competitive.

 

[cyb3rdud3]

Wouldn’t that still be the dominant player controlling what’s possible by means of API instead? Isn’t the point to remove the gatekeeper from being able to control how/what happens?

Yes, possibly, but as long as they don't cripple other products, nor give their product in that space a competitive edge that is allowed. Treating all players equal is the important part.

Anyway, I think this is taken way out of context. What CrowdStrike did after they tested this release is inexcusable and stupid, but this is not like it is a common event that has happened many a time. It is also not like the result of what happened when it goes wrong goes away by removing third parties, Microsoft could do it to themselves as well. One such an isolated incident isn't sufficient reason to wipe out a whole ecosystem and give it all to Microsoft. That is a knee-jerk reaction, and hands the market on a golden plate to Microsoft.

 

[Tomasulu]

Oversight is not allowed by regulators (US and EU).

Myself, can't understand why alternate app-stores are needed, and why (lack of oversight) should be a good thing? If you really don't like the app-store, then why are you buying an Apple device in the first place?

I’ll like my iPhone more if I’ve more choices. It’s simple as that. What do you have against choices? There are very few problems in the Android world related to having more than one App Store.

 

[mrochester]

Held accountable? The EU aren't being hostile to tech companies, they have measures in place to prevent anti-competitive business practises. This applies to all companies, regardless of their market and is not confined to tech companies. Believe it or not, it's actually better for the consumer not to have monopolies and less choice. Maybe American's aren't as bothered, but in other parts of the World a free-market is much more competitive.

Actually the EU very specifically have crafted things like the DMA to only apply to certain companies (such as those over a certain market cap or number of users). Companies that fall under the thresholds are permitted to continue to be as anti-competitive as they please.

I agree that the rules should apply to ALL companies, or none.

 

[mrochester]

Yes, possibly, but as long as they don't cripple other products, nor give their product in that space a competitive edge that is allowed. Treating all players equal is the important part.

Anyway, I think this is taken way out of context. What CrowdStrike did after they tested this release is inexcusable and stupid, but this is not like it is a common event that has happened many a time. It is also not like the result of what happened when it goes wrong goes away by removing third parties, Microsoft could do it to themselves as well. One such an isolated incident isn't sufficient reason to wipe out a whole ecosystem and give it all to Microsoft. That is a knee-jerk reaction, and hands the market on a golden plate to Microsoft.

It’ll be interesting to see what new attacks iOS will suffer as a result of the DMA.

 

[cyb3rdud3]

It's a cheese analogy, but it's also very accurate. Also the police isn't the best offering in security either. And actually Windows defender got a lot better when they started adding kernel protection to it.

Well, it isn't really. There are a wide variety of police services providing different levels of policing, and within a service the various officers have different powers. Then there are also federal, national, and international services. Different task forces, and specialist teams. And besides that, there is a very active private policing and security sector around the world. Nearly every large organisation has their security staff varying from access control, to corporate espionage, and of course, cybersecurity and even forensics. And then some countries have elected police officials, and specials from the private sector, who can be given powers as well.

So whilst I agree about it being cheesy, and somewhat comparable, I wouldn't get carried away in that it is very accurate

Exactly my point. My idea is that legislation that affects a certain market should be vetted by that market before they can go in effect. And no, I am not talking about lobbygroups.

The technical solution or implementation isn't mandated, it is policy and legislation. And of course, that is subject to checks and balances, that is part and parcel of a democratic system.

 

[mrochester]

I’ll like my iPhone more if I’ve more choices. It’s simple as that. What do you have against choices? There are very few problems in the Android world related to having more than one App Store.

A lot of that depends on that dynamic remaining the same. A Facebook store just for Android might not make practical or financial sense, but a Facebook store for both Android and iOS might be an attractive proposition to Facebook. And then what exclusives will Facebook gatekeep from other stores? We already see gatekeeping on the PC epic games store that forces consumers into users stores they don’t necessarily want to use to get the games they want to play.

 

[davide_eu]

This is a VERY good example why you should NEVER give a user or an app full kernel control. Honestly a user / app should not even have root access if you'd ask me either. It would break 99.9% of all malware instantly.

'Freedom' is not the solution. Because most people can't handle it. So yes, MS is correct here. And if you have any doubt? Just give a regular user full root access on a Linux system for a week. It will end badly.

Yes, I agree when you say "a user", but it was a SYSADMIN who gave access to Crowdstrike. Are you saying a SYSADMIN shouldn't have full access to the system?!

 

[davide_eu]

What CrowdStrike did after they tested this release is inexcusable and stupid[...]

The question is: did they test it?

If an update was able to crash almost every pc/servet, how was possible that they even didn't detect a SINGLE ISSUE?

 

[cyb3rdud3]

The question is: did they test it?

If an update was able to crash almost every pc/servet, how was possible that they even didn't detect a SINGLE ISSUE?

They ran over 40K test configurations in their CI pipeline. But a repacking step in the deployment that happened after the test (stupid, stupid, stupid, but aren't the first and won't be the last doing that) caused a corruption in that file.

 

[davide_eu]

Security shouldn't be ground for competition. It's like having multiple commercial police forces in one town. There is a reason why nobody does that.

Not true! In many countries there are multiple forces...

"Law enforcement in Italy is centralized on a national level, carried out by multiple national forces, helped by few limited local agencies."
(Wikipedia, Law enforcement in Italy)

 

[davide_eu]

They ran over 40K test configurations in their CI pipeline. But a repacking step in the deployment that happened after the test (stupid, stupid, stupid, but aren't the first and won't be the last doing that) caused a corruption in that file.

No, the official statement from their blog is:

"The configuration update triggered a logic error that resulted in an operating system crash."