What Should Apple Users Take Away from the CrowdStrike Debacle?

Originally published at: What Should Apple Users Take Away from the CrowdStrike Debacle? - TidBITS

By now, you’ve heard of the CrowdStrike update bug that wreaked havoc on Windows-based PCs around the world. It didn’t affect Macs, and it’s unlikely that something similar could. What about iPhones and iPads? Will the industry learn from this debacle or continue with business as usual?

Crowdstrike better hope that its lawyers wrote the clause protecting it really really carefully because otherwise they’re gonna get sued into oblivion.

1 Like

The reason, in my opinion, that software quality is so poor is that we the consumers allow them to disclaim all responsibility for anything that goes wrong, including absence of liability for any resulting harms. The software doesn’t even have to be “fit for the purpose” of which it is sold!

For example, I quote from CrowdStrike’s Terms and Conditions:

CROWDSTRIKE AND ITS AFFILIATES DISCLAIM ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE. TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW, CROWDSTRIKE AND ITS AFFILIATES AND SUPPLIERS SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT WITH RESPECT TO THE OFFERINGS AND CROWDSTRIKE TOOLS. THERE IS NO WARRANTY THAT THE OFFERINGS OR CROWDSTRIKE TOOLS WILL BE ERROR FREE, OR THAT THEY WILL OPERATE WITHOUT INTERRUPTION OR WILL FULFILL ANY OF CUSTOMER’S PARTICULAR PURPOSES OR NEEDS.

Can you think of any other product that is allowed to say that it isn’t even guaranteed to perform its own purpose? For example, I’d be pretty upset if I bought a car that doesn’t drive. Or that if I bought a car seat and it caused the car’s wheels to come off.

But language like the above is standard in the software industry. MacOS probably says the same thing.

The lesson the world should take away is that it is time to disallow such exclusions.

6 Likes

Not a great example, given how many used cars are sold with an “as is” warranty…which means, that yes, you could buy a car that doesn’t drive.

(And don’t get me started on real estate, which has two entire industries — home inspectors and title search companies — whose entire reason for existence is to prevent customers from buying a house that will fall down from a person who doesn’t own the house).

1 Like

It is, as said in the article, somewhat unrealistic to imagine that Macs could be utilised in place of Windows boxes, but surely there is another alternative? That would be for a version of Unix/Linux to be developed which is designed to be much more robust than Windows, which is, let’s face it, a decades old general-purpose operating system which is somewhat archaic in its inner structures.

It is pretty crazy that Windows, with all its architectural shortcomings, is employed for such mission-critical computer infrastructure across the western world.

2 Likes

I’m amazed that things were NOT worse. If it’s true that “the world runs on Windows,” and Crowdstrike is the 900 pound gorilla in its space, why didn’t the electric grid suffer, or the Social Security System go down, or the Postal Service? I asked at my local post office, and I was told they don’t use Windows, but rather an ancient OS. If Crowdstrike (the company) had to offer merchantability guarnatees, that might be in exchange for staged rollouts, rather than middle of the night installations when many moderate sized enterprises might not have anyone around to see that all the computers were entering doom loop reboots (or Crowdstrike could mandate that all customers have some “first tier machines” that were updated before wholesale installation on all of a company’s machines.

But what really amazed me was what DIDN’T break: power grids, gas utilities, water utilities, government operations, etc. The “why” in THAT bears careful investigation as a clue to how to make the next iteration less malignant rather than much worse.

1 Like

Clicking on the section: “the user drops system security to Reduced Security”.
What would be the reasoning or applicable situations where one would do that?
Anybody have an answer to that? Thanks

In my era, a large company’s IT department major responsibility was testing new( or updates to existing ) vendor software thoroughly before implementing it live company-wide. It’s easy to blame the vendor and say they wrote the code and bug(s) or blame Microsoft for offering kernel access but, as this event shows, the end-user company must be aware of their own computer vulnerabilities( i.e. we’re running Windows and updates could take our machines down to BSOD ) and take all appropriate measures to prevent a catastrophe. Updates to critical software packages ( say SAP and similar ) were viewed skeptically until they proved themselves safe in a fenced playground.

In defence of CrowdStrike, the company has to balance putting out a security update immediately to meet a new and lethal threat or holding back the update until exhaustively tested with the chance of the threat running amok.

With security threats impacting on global computer and communications systems every second, it would appear that CrowdStrike does a pretty good job in countering these security threats. The better approach might be for companies and organisations to spend money on building in redundancy into their systems.

Not the same as CrowdStrike is the software OEM equivalent of GM, Ford, etc. while used car dealers are NOT the OEM of what they sell.

I think it’s entirely comparable.

Microsoft should explain why Windows allows kernel-mode drivers.

1 Like

The travel, aviation, and medical sectors have been most visibly affected by the Crowdstrike/Microsoft mishaps. Millions of travelers, aircrews, and support personnel were (many are still stuck in airports). There are mountains of mishandled luggage in multiple airports from Auckland New Zealand, the long way around the World to Hawaii. This will take days to get the tightly wound systems back to normal.

The US Department of Transportation is holding airlines to comply with their rigid compensation policies f(same in the EU) for flight cancellation and delay expenses for their passengers. This will end up costing millions.

In the UK, thousands of medical appointments and operations were delayed or had to be rescheduled.

Some regulation is necessary to avoid a recurrence. If the industry does not propose reform on its own, it will be forced upon Crowdstrike and Microsoft. And yes, it is time to revise the disclaimers for software products to be in line with other forms of commerce.

1 Like

It’s not only crazy, but downright dangerous for the world, AFAIAC. I’m talking about world wide airlines that run Windows. They carry thousands of people every day. And our own military, which itself has had numerous failures because of their dependency on Windows. Maybe those failures so far haven’t caused a catastrophic event–but who is to say what will happen in the future? To say that Macs would not be an infinitely better choice for mission-critical work to me is folly, and feeds into the falsehood that Macs are inferior.

1 Like

The entire Social Security system did not go down but parts of it were definitely affected, including some of their website features.

1 Like

Good question. Part of an answer to that is that it’s not true that the whole world runs on Windows, fortunately there are many alternative OS-es in use. Furthermore, not every company using Windows uses CrowdStrike to protect their systems. Also, as I understood, only Windows 10 and 11 were affected, not older versions which can still be in use.

I agree they have to balance speed to meet a threat with the time it costs to test their code. Having said that, I have not read anything about any lethal threat that necessitated an immediate update, but I could be wrong (I’m not a security expert, I’m a software engineer). But even then, at least some basic testing should have been performed. The fact that so many systems were affected by this bug and the impact of it raises the question why this bug was not caught? Simply installing it on a few different systems would have revealed that at least some of them would no longer boot up, no intensive testing required. IMHO CrowdStrike has acted irresponsibly and needs to review their procedures ASAP.

1 Like

According to the Wall Street Journal, a 2009 agreement with the European Union requires Microsoft to allow kernel extensions:

A Microsoft spokesman said it cannot legally wall off its operating system in the same way Apple does because of an understanding it reached with the European Commission following a complaint. In 2009, Microsoft agreed it would give makers of security software the same level of access to Windows that Microsoft gets.

Source (Gift Link): https://www.wsj.com/tech/cybersecurity/microsoft-tech-outage-role-crowdstrike-50917b90?st=ddhtag1onr5oqck&reflink=desktopwebshare_permalink

Mashable says that this is the EU agreement referred to in that quote:

Source:

3 Likes

And here I thought Apple was doing the “locked down” thing for its operating systems to sell more product.

2 Likes

Yes, apparently running on Windows 3.1 is what saved Southwest Airlines

But Southwest reported that its operations were completely unaffected.

That’s because major portions of the airline’s computer systems are still using Windows 3.1, a 32-year-old version of Microsoft’s computer operating software. It’s so old that the CrowdStrike issue doesn’t affect it so Southwest is still operating as normal. It’s typically not a good idea to wait so long to update, but in this one instance Southwest has done itself a favor.

Source:

3 Likes