Is there something to learn for embedded/IOT from the Crowdstrike disaster?

[madires]

What I see is that Microsoft can't even manage the security and quality of the parts they have full control of. The last few years there were so many issues with updates breaking things that admins are afraid of the next update. What will break this time? Remember the WinRE partition size issue? Users are required to fix the problem themselves. Picture your mother resizing disk partitions.

[nctnico]

What I see is that Microsoft can't even manage the security and quality of the parts they have full control of. The last few years there were so many issues with updates breaking things that admins are afraid of the next update. What will break this time? Remember the WinRE partition size issue? Users are required to fix the problem themselves. Picture your mother resizing disk partitions.

I agree. Microsoft doesn't care about security. Only thing that counts is shareholder value. I still recall the 'Code red' incident in the early 2000's which infected millions of PCs overnight. That forced Microsoft to think about security for the first time. But how are you going to add security to a system which hasn't been designed for it?

[zilp]

4/ At the moment, all ten of those vendors need to write their own driver with privilege escalation from user space to kernel space. If Windows is to remain free of BSODs, all ten of those drivers must be free of bugs, as far as possible.  That's a lot of code, and a lot of debugging.

5/ But there is another way. If Microsoft wrote their own privilege escalation driver, and forced all the security vendors to use that instead, then only one driver needs to be debugged and polished to near perfection.

That is kinda true, but you are ignoring the actually important question: How will it be decided who gets to write and polish that driver, and why will that get a better overall result than having everyone write their own drivers?

If one party gets to write and polish that one driver, but they are just polishing a turd, the overall result can still be worse than if everyone writes their own driver, none perfect, but only a few people end up using the turd, most people end up using a reasonably decent implementation.

6/ So on one hand we have one driver that could BSOD Windows, on the other hand we have ten drivers that could BSOD Windows. Having ten BSOD-capable drivers in the ecosystem (all doing much the same thing, remember) is obviously more risky than having one BSOD-capable driver.

That is just false. Not only for the reason above, but also because monocultures create risks in themselves. The flip side of having only one implemention to maintain is that that implementation becomes a high-profile target.

Also, you might be confusing "higher risk to have a BSOD happen somewhere" with "higher risk to have a BSOD happen on your machine". Your average machine will have only one of those installed, so any given machine is only affected by the risk associated with one driver regardless.

And that difference is also important for global impact assessment: When everyone is using the same driver that end up crashing all machines using it, you have the world crash. When you have 10 drivers, and only every tenth company on the planet uses a given driver, only 10% of the world stops working. That resilience might even be worth using slightly lower-quality drivers.

8/ Microsoft has invested billions in Windows: it is their crown jewels. Nobody has as much interest in Windows as Microsoft. They cannot control what third party applications do, but they absolutely can control Windows itself.

Then why is the security of Windows systems so terrible that you need crap like Crowdstrike?

That is why, from Microsoft's point of view, forcing as much third party code as possible to run solely in user mode is an obvious step to take.

Which is irrelevant for how EU competition authorities should decide, which is what your original claims were about, when you said that they maybe should change their decision.

Now, our friend @zilp, if he has read this far, is at this very moment red-faced and the veins on his forehead are bulging. Even as we speak he is furiously typing a very lengthy essay rubbishing every single sentence in my post. That's fine, we are all free to do that. I just wanted to take this opportunity to tell you what I think. @zilp's rubbishing won't change that. And if you want to be hostile, then please - go ahead. You will be ignored, though.

Yeah, I have already noticed that you are ignoring all arguments that contradict your claims.

[Siwastaja]

I agree. Microsoft doesn't care about security.

They never did. SteveThackery's interesting logic game falls apart as soon as you take real-world observations into account: the fact that Microsoft has always colossally failed to deliver software which is even remotely up to date with then-current security best practices, and Windows users have always had to resort to third-party firewall and virus protection software, since the early days of connecting Windows PCs into the Internet.

In an ideal world, Microsoft would make their operating system in itself more secure, such that complicated third-party security software would not be needed. This is by the way how every other operating system in existence works: the primary way of security is by design of software (both kernel and userland), where Windows has always followed a different principle, namely both OS kernel and userspace software (including that supplied by MS, e.g. Internet Explorer or Outlook) leaking like sieves, with near zero effort to do anything about it, leaving the mess for 3rd party software.

And people always did install third-party firewalls and virus protection. Something which is nearly unheard of in every other operating system.

Same EU rules of course apply to everyone, yet all the others (be it linux, BSD, MacOS, iPhone, Android or whatever) are fully capable of making orders of magnitude more secure operating systems. Being that this has not changed in three fucking decades, and now Microsoft blames some pretty recent EU regulation nobody else has any trouble with, I would guess it's obvious to anyone it's a so called excuse. But clearly there are at least a few people who believe them!

[zilp]

since the early days of connecting Windows PCs into the Internet.

Connecting to the internet, you say? You must have forgotten that autorun.inf was (is?) a thing! They managed to make putting a CD-ROM into the drive into a security risk by design ...

[SteveThackery]

Yeah, I have already noticed that you are ignoring all arguments that contradict your claims.

   Pots and kettles come immediately to mind.

[SteveThackery]

...... the fact that Microsoft has always colossally failed to deliver software which is even remotely up to date with then-current security best practices, and Windows users have always had to resort to third-party firewall and virus protection software, since the early days of connecting Windows PCs into the Internet.

I somewhat agree with this. Mind you, the ubiquity of Windows - especially in the hands of ordinary Joes - does make it a very attractive target, which probably skews the results a bit. There's an online database somewhere which reports on security attacks and responses, and I seem to recall that Linux has had more vulnerabilities exposed than Windows for most of the past few years. My recollection might be wrong.

Even so, Windows' history of security vulnerabilities has long puzzled me. Windows was architected by Dave Cutler, who by then was already a serious heavyweight with extensive experience of other OSs. He was and is a highly respected software engineer. Given that, Windows NT must have had the best possible start - it was literally a clean sheet design, although it was required to implement a suite of APIs compatible with the DOS-based Windows 3 and 3.1.

So where and why did it all go so wrong? According to Helen Custer's book, security and stability were baked into the specifications from the beginning. You would think that such a good start would produce a state of the art OS with class-leading security.

Does anyone have any idea why NT lost its way and became so vulnerable?

[nctnico]

I agree. Microsoft doesn't care about security.

They never did. SteveThackery's interesting logic game falls apart as soon as you take real-world observations into account: the fact that Microsoft has always colossally failed to deliver software which is even remotely up to date with then-current security best practices, and Windows users have always had to resort to third-party firewall and virus protection software, since the early days of connecting Windows PCs into the Internet.

That is not quite correct.  MS-DOS has its fair share of virusses for which you also needed to have third party software installed in order to scan the system for virusses. Long before internet, some companies had computers setup at the entrance of the building where you could scan the floppies / diskettes you brought in from the outside.

[SteveThackery]

Being that this has not changed in three fucking decades, and now Microsoft blames some pretty recent EU regulation nobody else has any trouble with...

Point of order, m'lud! I think Windows has been as good or better than Linux in recent years, according to that database that lists all the security breaches and patches. I wish I could remember where it is.

About that EU regulation, I don't think that specific EU ruling applies to anyone except Windows. Do we know for certain that Linux has to comply with the same regulations, what with it being open source, so there is nobody the EU can take to court?  Does Linux also have to allow third party security-related drivers to run in kernel mode? This is a genuine question - I honestly don't know the answer, but surely any such regulations would be unenforceable, because there is no organisation or legal entity behind Linux.

[Siwastaja]

That is not quite correct.  MS-DOS has its fair share of virusses for which you also needed to have third party software installed in order to scan the system for virusses. Long before internet, some companies had computers setup at the entrance of the building where you could scan the floppies / diskettes you brought in from the outside.

Yeah. At least on a disk you had to run game.exe to get infected. CD autorun.inf as mentioned above made it funnier. At least most people knew about computer viruses, nearly hysteric about them. With internet connectivity more automated fun ensued, as Windows machines were known to get infected "on their own" without user downloading/installing anything; a known mitigation was to install the OS with network cable unconnected, and known-good firewall software installed from a disk / CD as a very first thing.

I remember getting some virus by just clicking an email open on MS Outlook Express, without touching any attachment files or links within the message.

[zilp]

I somewhat agree with this. Mind you, the ubiquity of Windows - especially in the hands of ordinary Joes - does make it a very attractive target, which probably skews the results a bit.

It doesn't skew the obviously insecure design of a lot of software from Microsoft. Like, I dunno, executing email attachments.

Also, Linux in the form of Android is also in the hands of ordinary Joes.

There's an online database somewhere which reports on security attacks and responses, and I seem to recall that Linux has had more vulnerabilities exposed than Windows for most of the past few years. My recollection might be wrong.

That's a pretty useless comparison to make. What do you even include in "Linux"? All of Debian? Just the kernel? Just the parts of the kernel that are actually commonly used? What do you include in "Windows"? All third-party drivers? Application software from Microsoft? ...

Also, how do you even count vulnerabilities? Is remote code execution the same weight as code running as root being able to load a kernel module when it shouldn't be?

And how do you even know how many vulnerabilities Microsoft has fixed? It's not like you can have a look at their source repository. And how do you even know that the numbers you know for Windows aren't just a result of noone being able to look at the code?

Even so, Windows' history of security vulnerabilities has long puzzled me. Windows was architected by Dave Cutler, who by then was already a serious heavyweight with extensive experience of other OSs. He was and is a highly respected software engineer. Given that, Windows NT must have had the best possible start - it was literally a clean sheet design, although it was required to implement a suite of APIs compatible with the DOS-based Windows 3 and 3.1.

So where and why did it all go so wrong? According to Helen Custer's book, security and stability were baked into the specifications from the beginning. You would think that such a good start would produce a state of the art OS with class-leading security.

Does anyone have any idea why NT lost its way and became so vulnerable?

Because security is the result of more than just the kernel. That's one of the things that I've been trying to explain to you. And because the business doesn't care. They have always opted to do things in a way that's superficially "convenient" for the user, even if that was an obvious security problem.

[SteveThackery]

Same EU rules of course apply to everyone, yet all the others (be it linux, BSD, MacOS, iPhone, Android or whatever) are fully capable of making orders of magnitude more secure operating systems.

I'm not sure that is fair or true. You've obviously heard of "security by obscurity" - the exceptional popularity of Windows, combined with the lack of technical awareness of its users - has always meant that Windows has been a super-attractive target for hostile actors.

What would be the point of attacking Linux, when all its users are geeks and techies with a fine understanding of how to secure an OS and how to mitigate any hacks that do get through?  What would be the point of attacking MacOS when its adoption has always been in single figure percents?

I'm not making excuses for Windows. I'm just saying a full and fair account must take those factors into account, along with the historical records of security breaches.

Having said that, I do still wonder why Windows has such a bad record even taking those into account, for saying it had such a promising start.

[madires]

Point of order, m'lud! I think Windows has been as good or better than Linux in recent years, according to that database that lists all the security breaches and patches. I wish I could remember where it is.

I remember that too. However, on the linux side they included stuff which is not part of the OS. It wasn't an apples to apples comparison.

[SteveThackery]

Because security is the result of more than just the kernel. That's one of the things that I've been trying to explain to you. And because the business doesn't care. They have always opted to do things in a way that's superficially "convenient" for the user, even if that was an obvious security problem.

I was hoping for a fuller and more nuanced analysis, to be honest, although I do appreciate hearing your view. I can't get my head around saying Microsoft "doesn't care". It's too sweeping a statement. I was wondering if there were fundamental mistakes in Cutler's design, for example. Or something else technical.

[SteveThackery]

That's a pretty useless comparison to make.

Your tone is becoming abrasive and hostile again. We're just guys having a chat - let's stay nice.

What do you even include in "Linux"? All of Debian? Just the kernel? Just the parts of the kernel that are actually commonly used? What do you include in "Windows"? All third-party drivers? Application software from Microsoft?

Also, how do you even count vulnerabilities? Is remote code execution the same weight as code running as root being able to load a kernel module when it shouldn't be?

And how do you even know how many vulnerabilities Microsoft has fixed? It's not like you can have a look at their source repository. And how do you even know that the numbers you know for Windows aren't just a result of noone being able to look at the code?

All excellent questions. And all easily answered if only we could find the damn database where this stuff is recorded and analysed.

[zilp]

About that EU regulation, I don't think that specific EU ruling applies to anyone except Windows. Do we know for certain that Linux has to comply with the same regulations, what with it being open source, so there is nobody the EU can take to court?  Does Linux also have to allow third party security-related drivers to run in kernel mode? This is a genuine question - I honestly don't know the answer, but surely any such regulations would be unenforceable, because there is no organisation or legal entity behind Linux.

For one, yes, of course, anti-trust law applies to everyone. Also, there are Linux vendors in the EU, as well as foreign Linux vendors doing business in the EU, and so you obviously could take all of them to court in the EU if they were to violate anti-trust law, including if the Linux that they are selling were to have features that violated anti-trust law. After all, anti-trust law applies to legal entities and their behaviour, not to software.

That does not necessarily mean that "Linux" would have to allow third-party kernel drivers, because anti-trust rules are about preventing monopolies. If some OS doesn't have any significant market share anywhere, say, chances are they can do just about anything as far as anti-trust law is concerned.

But of course, it's just about impossible for Linux to violate anti-trust laws, as the lincense (GPL) is designed to make it illegal to monopolize it. Like, if you distribute Linux, it is mandatory that whoever receives a copy from you also can obtain the source code, and the license to modify and redistribute it, including to redistribute it in modified form. So, even if some company were to distribute a version of Linux that only allowed you to load kernel drivers signed by that company, they would also have to provide their customer with the source code of that particular version of Linux, and that customer would be legally permitted to remove the code that checks the signature, recompile it, and thus load whatever kernel drivers they like ... so it is just legally impossible for anyone to distribute a version of Linux that could actually prevent anyone from loading any kernel driver they want to load.

[SteveThackery]

This summary might be helpful. It relates to the "big four" OSs and covers the past decade

------

Over the past decade, significant security vulnerabilities have been identified across major operating systems, including Linux, Android, Windows, and macOS. Here's a summary of the key vulnerabilities reported by operating system and year:

Linux

2014-2015: The "Shellshock" vulnerability (CVE-2014-6271) was a major issue affecting Bash, allowing attackers to execute arbitrary code. The "GHOST" vulnerability (CVE-2015-0235) was another critical flaw allowing remote code execution.

2016: The "Dirty COW" vulnerability (CVE-2016-5195) was discovered, a privilege escalation bug that had existed in the kernel for nearly a decade.

2017: The "Stack Clash" vulnerability (CVE-2017-1000364) allowed local privilege escalation.

2018: "Spectre" and "Meltdown" (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) affected Linux, exploiting speculative execution in CPUs.

2019: The "SACK Panic" vulnerabilities (CVE-2019-11477, CVE-2019-11478) affected TCP networking, leading to denial-of-service attacks.

2020: The "BootHole" vulnerability (CVE-2020-10713) in GRUB2 bootloader could allow Secure Boot bypass.

2021: Multiple vulnerabilities in systemd (e.g., CVE-2021-33910) could lead to local privilege escalation.

2022: The "Dirty Pipe" vulnerability (CVE-2022-0847) allowed privilege escalation through the Linux kernel.

2023: Recent vulnerabilities (e.g., CVE-2023-3269) targeted the Linux Kernel's TCP stack, leading to potential remote code execution.

Android

2014-2015: The "Stagefright" vulnerability (CVE-2015-3824) affected media processing, allowing remote code execution via MMS.

2016: The "Quadrooter" vulnerability (CVE-2016-2503) involved four critical flaws in Qualcomm chips, affecting millions of devices.

2017: "BlueBorne" (CVE-2017-0781) affected Bluetooth, enabling unauthorized access to devices.

2018: The "KRACK" vulnerability (CVE-2017-13077) affected Wi-Fi WPA2, making Android devices susceptible to man-in-the-middle attacks.

2019: "Strandhogg" (CVE-2019-14023) allowed malicious apps to hijack permissions of legitimate apps.

2020: The "Strandhogg 2.0" (CVE-2020-0096) vulnerability further expanded the previous flaw’s scope, impacting almost all Android versions.

2021: The "BadAlloc" vulnerability (CVE-2021-22292) in Qualcomm chipsets allowed remote code execution.

2022: "Hermit" spyware vulnerabilities exposed security flaws in Android that enabled surveillance through malicious apps.

2023: The "SpyNote" Android Trojan highlighted new risks in unauthorized surveillance and data theft.

Windows

2014-2015: "CVE-2015-1701" was a privilege escalation vulnerability in Windows' user-mode subsystem.

2016: The "BadTunnel" vulnerability allowed remote attacks without user interaction. Microsoft also patched the "AtomBombing" technique (CVE-2016-7255) that allowed attackers to inject code into other processes.

2017: "EternalBlue" exploit (CVE-2017-0144) led to the widespread WannaCry ransomware attack.

2018: "Spectre" and "Meltdown" vulnerabilities also impacted Windows systems.

2019: "BlueKeep" (CVE-2019-0708), a critical RDP vulnerability, could allow remote code execution.

2020: The "SigRed" vulnerability (CVE-2020-1350) in DNS server could lead to a wormable remote code execution.

2021: The "PrintNightmare" vulnerability (CVE-2021-34527) allowed remote code execution through the print spooler service.

2022: Multiple vulnerabilities in Windows Defender and zero-day exploits like "Follina" (CVE-2022-30190) affected Office software and Windows.

2023: The "Acropalypse" vulnerability (CVE-2023-1685) compromised image cropping in Windows, potentially exposing sensitive data.

macOS

2014-2015: "Rootpipe" (CVE-2014-4453) was a privilege escalation vulnerability discovered in Yosemite.

2016: "CVE-2016-1757" and "CVE-2016-1825" involved privilege escalation and kernel vulnerabilities.

2017: The "High Sierra Root Bug" (CVE-2017-13872) allowed unauthorized root access.

2018: "CVE-2018-4237" and "CVE-2018-4280" addressed privilege escalation and kernel code execution.

2019: "CVE-2019-8781" was a kernel memory corruption issue leading to arbitrary code execution.

2020: The "Thunderbolt" vulnerability ("Thunderspy") exposed physical access risks to data.2021: "CVE-2021-30892" exploited a flaw in macOS' Gatekeeper, allowing malware to bypass security checks.

2022: "CVE-2022-22674" and "CVE-2022-22675" were zero-day vulnerabilities that Apple quickly patched in Monterey.

2023: Vulnerabilities in macOS Ventura (e.g., "CVE-2023-23529") continued to expose the OS to remote code execution and malware risks.

------

Of course we will all immediately feel the need to question what it says about our personal favourite OS. We would need a fuller analysis of the raw data to get the most complete picture.

To me it says that security holes are to be found in all OSs, and on the basis of that summary, no one OS stands out as being "orders of magnitude" better or worse than the others.

Anyway, with all caveats acknowledged, it might still be of interest.

[zilp]

That's a pretty useless comparison to make.

Your tone is becoming abrasive and hostile again. We're just guys having a chat - let's stay nice.

It's just a statement of fact. If you don't like it, that's on you.

What do you even include in "Linux"? All of Debian? Just the kernel? Just the parts of the kernel that are actually commonly used? What do you include in "Windows"? All third-party drivers? Application software from Microsoft?

Also, how do you even count vulnerabilities? Is remote code execution the same weight as code running as root being able to load a kernel module when it shouldn't be?

And how do you even know how many vulnerabilities Microsoft has fixed? It's not like you can have a look at their source repository. And how do you even know that the numbers you know for Windows aren't just a result of noone being able to look at the code?

All excellent questions. And all easily answered if only we could find the damn database where this stuff is recorded and analysed.

No, they wouldn't. The question wasn't how they did the comparison, the question was how one could possibly make a useful comparison based on such numbers, because it is just impossible to make a universally valid apples-to-apples comparison, because, no matter which was you answer these questions, there are common use cases that don't match those choices.

[zilp]

This summary might be helpful. It relates to the "big four" OSs and covers the past decade

Well, OK, this is even more useless than I exepected.

That is just a completely random selection of vulnerabilities that tells you just about nothing. It seems like this was mostly just "whatever was in the press", which isn't particularly interesting.

2014-2015: The "Shellshock" vulnerability (CVE-2014-6271) was a major issue affecting Bash, allowing attackers to execute arbitrary code.

This one, for example, was effectively a vulnerability that affected particular web server setups. In particular, it was pretty much irrelevant for desktop users, as well as most other types of servers.

2018: "Spectre" and "Meltdown" (CVE-2017-5753, CVE-2017-5715, CVE-2017-5754) affected Linux, exploiting speculative execution in CPUs.

Those were vulnerabilities in CPUs, so it is insane to list the workarounds for those vulnerabilities implemented in Linux as vunerabilities in Linux.

2016: The "Quadrooter" vulnerability (CVE-2016-2503) involved four critical flaws in Qualcomm chips, affecting millions of devices.

The text even says this was a vulnerability in Qualcomm chips ... why is this listed under Android, then?

2018: The "KRACK" vulnerability (CVE-2017-13077) affected Wi-Fi WPA2, making Android devices susceptible to man-in-the-middle attacks.

The text also says that this was a vulnerability in the WPA2 standard, which also happened to affect Windows, so why is this listed under Androis?

2021: The "BadAlloc" vulnerability (CVE-2021-22292) in Qualcomm chipsets allowed remote code execution.

So, another Qualcomm vulnerability listed under Android?

2018: "Spectre" and "Meltdown" vulnerabilities also impacted Windows systems.

Well, yeah, it affected all systems running on the affected CPUs ...

To me it says that security holes are to be found in all OSs, and on the basis of that summary, no one OS stands out as being "orders of magnitude" better or worse than the others.

To me it says that this is just useless to base anything on.

[madires]

Yep, that excerpt is pretty useless for drawing any conclusions, no matter for which OS.

[madires]

To me it says that security holes are to be found in all OSs, and on the basis of that summary, no one OS stands out as being "orders of magnitude" better or worse than the others.

Have a look at OpenBSD.

[SteveThackery]

No, they wouldn't. The question wasn't how they did the comparison, the question was how one could possibly make a useful comparison based on such numbers, because it is just impossible to make a universally valid apples-to-apples comparison, because, no matter which was you answer these questions, there are common use cases that don't match those choices.

So on what basis can you say that Linux, in particular, and all OSs in general, are so much better than Windows?

[SteveThackery]

To me it says that this is just useless to base anything on.

Yeah, I agree. When I read some more rigorous reports, I was amazed to find that there are recorded tens of thousands of vulnerabilities every year.

[SteveThackery]

Have a look at OpenBSD.

It looks impressive!

I've got three different Linux distros in virtual machines and quite enjoy messing around with them. But I could never use any of them for my main desktop because the applications are so shit. Old fashioned, crude, clunky, and almost universally lousy UIs. The world of Linux desperately needs an equivalent of Microsoft's or Apple's Usability Labs.

I tried to convince myself LibreOffice could be my main office suite, but I just couldn't bear the plug-ugly UI, and when I found it wouldn't even support select-and-extend-by-sentence I vaped the decrepit piece of junk.  Day-to-day productivity tasks on Linux are like going 30 years back in time. One fine day we might get to see some state of the art applications like the Affinity suite on Linux, but until then Linux is no substitute for Windows.

EDIT: Your mate Linus agrees with me. 

ANOTHER EDIT: Sorry! Way off topic. This is supposed to be about microcontrollers.

[NorthGuy]

So on what basis can you say that Linux, in particular, and all OSs in general, are so much better than Windows?

Linux is an OS. It is software which you run on your PC at your own will.

Windows is a service. You give full access to your computer to Microsoft and they use it to provide OS services. That's how it's been since Windows 10 (2015).

This is the most important distinction in my view, which makes all further comparisons irrelevant. I, for example, don't need a service, I need an OS. Hence I use Windows 7, but when it becomes impossible, I have no other choice than using Linux (or possibly Mac).