[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Microsoft and Crowdstrike
From: |
Denis 'GNUtoo' Carikli |
Subject: |
Re: Microsoft and Crowdstrike |
Date: |
Wed, 24 Jul 2024 23:32:16 +0200 |
On Sun, 21 Jul 2024 10:13:55 +0900 (JST)
Akira Urushibata <afu@wta.att.ne.jp> wrote:
> I would like to know about the relationship between Microsoft and
> CrowdStrike. It is quite likely that security software requires
> privileges that the OS maker has to provide through a special
> agreement.
I understand this outage a bit differently.
Personally I don't think that the company names are very relevant here.
As for the kind of software (anti-malware): it needs to have the most
privileges possible to work properly as that kind of software is
supposed to detect things like rootkits.
To make such an outage you need:
- A lot of people and/or organizations to rely on some software that is
updated automatically.
- To have the producer of that software issue an update that prevent
computers from booting (you don't necessarily need privileged
software for that, bad luck and a bug, let's say in a filesystem
driver for instance, could trigger that too, but if it's more likely
if the software is privileged already). The update could either be
malicious or be an accident.
It could even happen with free software in the future if some (new?)
free software businesses follow a business model that has all these
ingredients.
Now, with free software and the distribution model (what you get with a
regular distribution like Trisquel, and that you don't get with
Appimage / Flatpak), the update of a software (like xz for instance)
doesn't happen instantaneously, and the maintainer(s) of a given
software (like xz) cannot force users nor distributions to install the
latest update.
So that leaves a lot of space for testing and for finding issues, so in
case of issues not everything goes down at the same time, and some
people/organizations will often find the issue before others.
The bigger issue:
-----------------
Note that more broadly the free software distribution model
differs a lot from nonfree OS, Android, or things like Appimage /
Flatpak, so even extremely basic threat modeling can differ a lot.
A key difference is that in the distribution model, applications
are basically trusted not to be malicious, and a lot of security
systems / features are built around that assumption (the privilege
drop, or hardening at compilation time are good examples of that).
This reduces a lot the attack surface. If we look at Microsoft Windows
instead, there people download and run random binaries, so the attack
surface is way bigger and too complex to really secure in practice.
And if you look at the Iphone instead, in practice it practice manages
to remove all users freedom (you can't even run the program you want
there without Apple allowing it) without even managing to guarantee
users's privacy due to the business model of many applications in the
appstore.
The issue is that the more we follow a model where we basically give
all control to the developers of applications, the more we are exposed
to issues that plague these operating systems (Windows, IOS, Android).
And the only thing in the way with this model is probably the sandbox,
and the fact that not everybody runs the same piece of nonfree
or badly written software.
For instance you could in theory have an application that for some
reason become malicious (it already happened to some libraries packaged
with NodeJS), and is updated automatically (this is by design), and
manage to escape sandboxing (it only needs 1 exploit, that is not
trivial to do though), then exploit buggy out of tree (free or nonfree)
WiFi drivers or nonfree firmwares (that is probably easy to do), exploit
bugs inside nonfree UEFI (that is probably easy to do but probably
doesn't scale well to a big variety of devices) and completely take
control of the computers at a very targeted or large scale.
And then if that starts happening, you might be tempted to start relying
on the same kind of security mechanism nonfree operating systems use to
avoid such issues (secure boot, remote control from the company that
manages the operating system / app store, using anti-malware software
that detect threats, etc). Not only this approach doesn't work well for
users freedom in practice, but then you also end up being vulnerable to
incident like the Crowdstrike one you mentioned.
So the only solution I know to avoid all that mess is probably to use
what works well: free software, ideally of good quality (to limit both
the attack surface and the need to always update), and to get it though
some distribution (like Trisquel, Guix, etc) that don't give all powers
to the developers of applications / OS components.
As for updates some distributions (like Guix or Trisquel) also provide
tools to track CVEs, and some use backported security fixes (like
Trisquel).
And also a good practice if you run some infrastructure with it is also
to reduce the attack surface as this tend to work well (not run
services that you don't need, etc).
Denis.
pgpJjT8swnvUJ.pgp
Description: OpenPGP digital signature