While I have not written about specifically CrowdStrike in the past, nor even heard of it prior to recent events, the security debacle of July 2024 illustrates several issues mentioned in past writings. (Due to their diverse character, I do not provide explicit links. Finding all the relevant pages would take too long relative the benefit.) In particular, on the meta-level, we have issues like flawed quality and security thinking and an unwillingness to keep control where it belongs, i.e. not with makers of operating systems, security software, or, more generally, simply software.
Where it does belong will depend on the situation. In my personal case, I am a single user/administrator/owner of my systems and I should be in control of any and all decisions concerning these systems. With tools like CrowdStrike in a corporate system, the end users cannot have too much say (or the purpose might be undermined) and some other entity must make more centralized decisions about e.g. what updates should be installed when. Even here, however, some user leeway might be beneficial, say, in that non-critical updates can, within some limits, be postponed in order to not affect work. (And, yes, I have experienced cases where a forced MS-Windows update has kept me from work for half-an-hour while an office deadline was looming.)
More detailed issues include:
Risk of automatic updates.
While automatic updates are touted by security “experts” and the software makers, the problems potentially caused outweigh the benefits. All too often, updates bring problems, new bugs, removes good features and introduces bad features, etc. (Firefox, e.g., has a horrific record, as discussed in some older texts.) Timing of updates is a particularly important and oft neglected issue.
The approach taken by many Linux distributions, e.g. Debian, with big one-off releases that then sees security updates
only, and where the individual can make controlled updates through a sequence like
apt-get update && apt-get upgrade
is superior. (But see the
above side-note for complications in corporate settings.)
With CrowdStrike: What if administrators had been informed of early problems in other businesses and simply postponed the updates until they either (hypothetically) were known to be safe or (realistically) had been replaced with corrected versions?
Here and elsewhere, I do not necessarily argue that this-and-that should be avoided, banned, or replaced categorically. Often, it is sufficient even that one can opt-in/-out (e.g. by an explicit config setting for whether to update automatically) or that a more robust alternative is present when the situation calls for it (e.g. that a non-computer means of doing something remains available, even when something is normally done by computer; note a below item on over-reliance on computers).
Risk of dependency on third-party products.
While running a computer without any products would not make sense, the number of parties that have critical influence should be minimized.
For instance, if a computer runs an operating system from one provider, having security tools from a second provider intermingle with the operating system is a bad idea. Now there are two parties, not just one, who can cause the computer to go belly up. (In addition, the probability of poor coordination, unforeseen interactions, whatnot, increases.)
For instance, the nonsensical drive to put everything in the “cloud” creates risks like a failed Internet connection making data and software unavailable; ditto, a third-party bankruptcy; ditto, a third-party decision to discontinue services; ditto, the failure of a third-party server; etc. With data stored locally and accessed by a local program, risks are far smaller.
A particularly interesting angle is what happens if a third party is bought by someone else or otherwise deemed unsuitable for future use, while being hard to replace. For instance, Kaspersky has recently been banned in some U.S. contexts for being Russian owned and (allegedly) assisting the Russian government with this-and-that. What if CrowdStrike was bought by Kaspersky (or some other Russian company)?
Overlapping, current approaches tend to create too many single points of failure. This is by no means limited to software, however. Note e.g. flying and how a strike among either of security grunts, check-in staff, cabin crew, or pilots can all individually prevent a journey from happening.
Security software doing more harm than good.
Here the security software might have done more damage than any actual attack in the history of computing—possibly, to the point of dwarfing them.
However, this is far from the first time that security software does more harm than good, through some type of malfunction while in a privileged position. Indeed, virus scanners have been used as an attack vector to infect a computer... A particular problem is the sometime fiddling with SSL certificates: In order to make sure that anything downloaded from the Internet is scanned (including pages visited), a common practice is to provide alternate certificates for browsers to trust, so that the virus scanner can circumvent end-to-end encryption and scan all contents before they are displayed in the browser. This, however, wrecks the “chain of trust” and has allowed hostiles to e.g. perform man-in-the-middle attacks that would not have been possible (or much harder) without the certificate-fiddling by the virus scanner. Such issues are the more perfidious, as even the professional software developer is not necessarily aware of them and as the average end user is oblivious.
This not to be confused with known trade-offs. If e.g. a virus scanner slows the computer down too much, this can cause a net loss through lack of productivity and increase of annoyance, but there is still a deliberate trade-off: the decision makers see the slowdown as an acceptable price for the increase in security. They might, in any given case, be right or wrong, but they have made a deliberate decision—much unlike those who fall victim to a crippling bug or a security hole introduced by security software.
A dangerous over-reliance on computers (in particular) and technology (in general), with insufficient manual backups.
That inherently computer-related activities, e.g. software development, runs into problem without functioning computers is understandable and acceptable, but there are few things today that are not directly or indirectly dependent on computers. To stick with air travel, just run through the various stages of a journey, from ticket purchase to baggage retrieval, and pay attention to when a computer or piece of software is used and when its absence might be a minor, major, or near-insurmountable obstacle.
An interesting example relating to electricity is the gas heating that I used to have in my apartment. While gas sucks in so many ways that I am happy to be rid of it, it could have had one advantage—the ability to get warm water for showers, heating, whatnot, even during a power failure. However, the gas heater needed electricity to run... No electricity; no gas heater. (Reasons included a small digital display and controls.)
Of course, depending on what dependencies the gas supplier had, there might even have been an issue, had my heater not needed electricity.
As a special case, a neglect of physical money.
As exemplified by CrowdStrike, even making payments in stores can be highly problematic, if physical money is no longer an option. I have, myself, some years ago, come to a cashier with products for twenty-something Euro, found that card payments were not possible due to some malfunction of the system, and been forced to leave products behind to accommodate my lesser amount of cash. (Since then, I always try to carry a reasonable amount of cash. I also increasingly try to avoid card payments, as they allow unethical tracking of the user.)
To this, I note that my native Sweden has all but abandoned cash, as physical money, for some reason, does not have the status of legal tender in Sweden. Moreover, that there is a global trend for businesses to push for non-cash payments. (Recently, for instance, I read of some restaurant (?) that gave better prices to those who paid by smartphone.)
Apart from such issues and the aforementioned risk of unethical tracking, a lack of cash can also increase the government’s control of citizen behavior, including spending and saving—especially, if central-bank controlled digital currencies replace “regular” money. That alone is a great reason to be wary of abandoning cash. (Advantages like lesser costs for physical printing/minting and handling, a reduced risk of store robberies, whatnot, notwithstanding.)
The issue of legal tender is tricky: Above, cash-as-legal-tender is a good thing; however, in the context of a government monopoly on money, it can be a negative, through preventing the development and spread of alternatives. A compromise might be that if someone accepts digital money of some brand, he must also accept physical money of the same brand, in combination with a requirement that all money issuers must make physical money available. (In both cases, without additional costs.)
As a note on language, “cash” and “physical money” are virtually synonymous. Cheques and the like are not included, and phrases like “Cash or card?” implicitly draw the border between cash and non-cash in the wrong place.
While Microsoft might not have been the main cause behind the problems, it bears repeating that MS-Windows et co. is shit that no serious company should use over more secure and reliable alternatives, notably, from the Unix-verse.
Not running MS-Windows, not using MS-Word, etc., might be the single best security measure one can take, and is certainly more valuable than any random security software.
In the overlap between several items, we also have the issue of complexity: greater complexity increases the risk that something goes wrong and every piece of new software increases complexity. (Ditto new features in an existing software, etc.) While my main concern is the complexity of the software systems, themselves, the same idea applies elsewhere, e.g. in that a system involving more parties with the authority to perform certain actions (as with privileged security software or users with admin rights) increases the risk that someone will do something wrong, that actions by the one will clash with actions by the other, etc.
In a bigger picture, the solution to computer security is not security software—but secure and responsible computer handling. This includes not running unnecessary services on a computer, not having JavaScript and similar technologies activated when surfing the web, not enabling macros in MS-Office documents, etc.; as well as being cautious about contents from parties that are not known to be trustworthy. Of course, software makers and whatnot push in the exact opposite direction. Likewise, if software makers were to spend more time on ensuring that old features were bug-free and less on adding new features, fewer security holes would exist, and the need for security software would diminish. Again, software makers go in the opposite direction.
The following is an automatically generated list of other pages linking to this one. These may or may not contain further content relevant to this topic.