Skip to content, sitemap or skip to search.

Personal tools
Join now
You are here: Home FSF News Let's not celebrate CrowdStrike -- let's point to a better way

Let's not celebrate CrowdStrike -- let's point to a better way

by Greg Farough Contributions Published on Jul 24, 2024 04:59 PM
 Let's not celebrate CrowdStrike -- let's point to a better way

BSOD at Dulles Airport due to the CrowdStrike incident

If you read the news, went to work, or boarded a plane in the last few days, you no doubt encountered stories about the CrowdStrike incident, in which automatic updates to a Windows kernel driver pushed by a third-party security company crashed countless machines worldwide. For the first time in years, the mainstream press is actually using words like "kernel," and other words they typically avoid that would give the idea that there's anything happening behind Windows 10's flashy colors. As free software activists, we ought to take the opportunity to look at the situation and see how things could have gone differently.

Let's be clear: in principle, there is nothing ethically wrong with automatic updates so long as the user has made an informed choice to receive them. For instance, it's perfectly understandable that a public library might not want to pore over kernel changelogs; they simply want to receive the update and move on with their work. At the same time, software bugs happen. Free software developers know this better than anyone. The Linux(-libre) kernel does not have some mystic immunity to them. What our community does have is a social structure that, most likely, would have rectified the situation swiftly.

What free software offers is a diversity of choice. Although we can understand how the situation developed, one wonders how wise it is for so many critical services around the world to hedge their bets on a single distribution of a single operating system made by a single stupefyingly predatory monopoly in Redmond, Washington. Instead, we can imagine a more horizontal structure, where this airline and this public library are using different versions of GNU/Linux, each with their own security teams and on different versions of the Linux(-libre) kernel. For example, a library in Vietnam wouldn't necessarily be dependent on an American software company for their day-to-day work.

As of our writing, we've been unable to ascertain just how much access to the Windows kernel source code Microsoft granted to CrowdStrike engineers. (For another thing, the root cause of the problem appears to have been an error in a configuration file.) But this being the free software movement, we could guarantee that all security engineers and all stakeholders could have equal access to the source code, proving the old adage that "with enough eyes, all bugs are shallow." There is no good reason to withhold code from the public, especially code so integral to the daily functioning of so many public institutions and businesses.

In a cunning PR spin, it appears that Microsoft has started blaming the incident on third-party firms' access to kernel source and documentation. Translated out of Redmond-ese, the point they are trying to make amounts to "if only we'd been allowed to be more secretive, this wouldn't have happened!" Anyone with so much as a basic understanding of software development can see that this argument doesn't hold water, just as anyone with a basic understanding of rhetoric can appreciate the irony that the same company that develops Copilot is whinging about the need to keep code secret from others.

We also need to see that calling for a diversity of providers of nonfree software that are mere front ends for "cloud" software doesn't solve the problem. Correcting it fully requires switching to free software that runs on the user's own computer.

The Free Software Foundation is often accused of being utopian, but we are well aware that moving airlines, libraries, and every other institution affected by the CrowdStrike outage to free software is a tremendous undertaking. Given free software's distinct ethical advantage, not to mention the embarrassing damage control underway from both Microsoft and CrowdStrike, we think the move is a necessary one. The more public an institution, the more vitally it needs to be running free software.

For what it's worth, it's also vital to check the syntax of your configuration files. CrowdStrike engineers would do well to remember that one, next time.

Image Copyright © 2024 reivax, licensed under Creative Commons Attribution-Share Alike 2.0 Generic license.

Document Actions

The FSF is a charity with a worldwide mission to advance software freedom — learn about our history and work.

fsf.org is powered by:

 

Send your feedback on our translations and new translations of pages to campaigns@fsf.org.