I find it interesting how history can sometimes determine our legal and technical frameworks. The Crowdstrike issue we see is essentially a foreseeable consequence of this decision.
As another comment pointed out, Apple don't provide the same level of access for app developers for iPhones, yet don't have the same scrutiny. I'd wager this is partially because antivirus vendors for iPhone never existed, which weakens their standing in a legal sense.
Unlike browser and antivirus vendors for Windows, you'd be demanding the courts create a new market for you, as opposed to preventing a monopoly from removing one.
I don't have an answer, or even a specific opinion, to this. Just making an observation.
The difference is that Microsoft, as an Operating System Vendor, wanted to get into the Security Software Market, with exclusive access to their operating systems that none of the existing security software had.
Apple does not sell security software so they don't have the same conflict of interest.
Microsoft could have responded to the EU request by creating a secure, sandboxed API (like the one Apple has for macOS) and used that both for their own security software and also let third-party software use it. That would have been fair market dealing.
But they took the lazy way out and just gave the third party software access to the kernel the same way their own software already used it, so they didn't have to rewrite their own solution.
Kexts are being phased out, and are only changeable if you "reduce security" though, so obviously not something that Apple is supporting, it's more "at your own risk" so not really the same as what Microsoft is doing (Supporting people plugging into the kernel itself)
Endpoint Security is a user framework, that's the point. You can write a driver in macOS. You have to write a driver for Windows, there is literally no other solution for real-time protection.
Hooking into NT kernel syscalls were already a thing before the introduction of Defender; Microsoft may have felt that it was easier to continue a similar setup (albeit isolated to device drivers) instead of facing regulatory scrutiny.
Apple's responses to the DMA/DSA and Google's Privacy Sandbox have already attracted such scrutiny despite providing alternative APIs. I assume Microsoft Legal could already foresee such a situation arising, and just assumed it was better to leave the system as-is until there was a compelling data point to prove otherwise.
I don't think MS particularly wanted to enter security market, they cared far more about making sure that all Windows computers had some level of baseline security solution. The constant virus epidemics were hurting their reputation and they wanted to address that; improving Windows security was pretty major theme for early 00s MS. Indeed I imagine especially then they would have been happy to be completely rid of the AV market instead of entering it as a player.
The Vista era Defender product was extremely rudimentary, it's almost certain that the major commercial offerings were doing far more intrusive and complex stuff in kernel. Thus I don't think simply forcing everyone to downgrade to Defenders level would have made anyone happy.
Calling MS lazy for not coming up with new novel set of APIs overnight is pretty disingenuous.
Microsoft has been selling Forefront (the commercial version of Security Essentials/Defender) since 2007[0], 2 years before Security Essentials was released.
[0]: It's hard to track down a specific date since they've been going through a bunch of rebrands, but https://www.csoonline.com/article/545304/cisco-subnet-whatev... seems like the earliest date I can find, with a bunch of other sources from 2009 talking about new updates.
> As another comment pointed out, Apple don't provide the same level of access for app developers for iPhones, yet don't have the same scrutiny. I'd wager this is partially because antivirus vendors for iPhone never existed, which weakens their standing in a legal sense.
I think the Intel thing is another interesting case of this. Once those overclocking controls exist, it's pretty hard to actively take them away from people (and partners) without looking like a jerk in the process, even if they are now dangerous in a way they weren't previously.
NVIDIA got a ton of heat for this back when Turing launched. You heard all the excuses: "electromigration doesn't happen on modern processors, unless it's like 4.7 GHz sandy bridge" etc. https://x.com/Sebasti66855537/status/1816955349636710535
You almost need one of these kinds of incidents to get people to take a step back and realize what's at stake. Because people will keep living in 2007 forever - you see this with gpu pricing and economics too.
And in turn this does create a perverse incentive to just not offer these things in the first place, I think that’s correct. That’s the way we’ve written the laws, it’s worse to take it away than to never offer it. And there’s valid logic supporting that too - now other people’s livelihoods depend on your indulgence, and they get the business equivalent of tenant rights.
(although there are instances where it has been successfully rolled back, notably the third-party chipset market no longer exists, intel locked that down and AMD immediately followed.)
I know this is being used by Microsoft and other voices in tech to bash the EU, but I really don't buy that argument. For a start it would only cover the decision within the EU, yet Microsoft chose to do this at a global level - likely also pressured by previous anti-monopoly rulings in the US.
The main fall down here was a lack of rigor on their part, and Crowdstrike's. Thorough testing of all configurations of Windows is likely impossible - but it's clear this one affected so many it was a common one - why was this not caught?
As for the EU - I'd say where their problems lie is in applying rules and regulations, but only in the context of that time and space - there is no regulatory follow-up from the initial conditions to ensure that software continues to be safe, and few certifications offered outside private companies own certification. It's just been announced they are diverting budget away from FOSS projects towards AI ones in their Horizon 2025 budget, once again weakening the software ecosystem in favour of the-popular-thing-at-the-moment.
For their own sake they should be funding independent Red/Blue teams, and securing the internal supply chain of software - both to protect it from current threats, and future geo-political changes. But this is where they leave it up to market forces and this is why this situation will absolutely happen again and again.
> Thorough testing of all configurations of Windows is likely impossible - but it's clear this one affected so many it was a common one - why was this not caught?
You might want to investigte the technical details of what CrowdStrike driver actually do. It has the ability to load a configuration file that contains code and then execute that code. Crowdstrike uses their own update server. Microsoft has validated the driver but when the driver has the ability to connect to CrowdStriks servers and download code, it is hard to blame Microsoft for not checking this code. Had CrowdStrike instead chosen to use Windows Update for this, Microsoft would have checked and caught this, but CrowdStrike decided to bypass Microsoft and use their own update servers instead.
That's the point I was making through - the rigor here failed here by Microsoft allowing companies to push this kind of stuff with only some kind of basic sign-off in the distant past that they get the keys to do this.
If Crowdstrike didn't have the capacity to test this, either they should be handing it off to Microsoft to deliver through their channels, or they need to be forced to increase the testing capacity and improve the processes in their delivery (as do all companies with root-level access here)
> load a configuration file that contains code and then execute that code
Citation needed (sorry!).
Of the reports I've read, the most technical of those only say the config files were full of null bytes, which when parsed/loaded by Crowdstrike's driver then in-turn caused their driver to perform a null deference.
...this doesn't mean that those files contain executable code; just that their driver code was sloppy for not validating file input (presumably their parser took a null-byte in its input as as equivalent to a null (i.e. an empty reference) in its internal data structures. To my knowledge, there's no indication or hint of CrowdStrike's driver doing anything like loading arbitrary binary code from those config files - or memory-mapping those files - and directly executing it via JMP or CALL or some Windows kernel functgion.
////
Apparently the the Windows kernel does allow drivers to have RWX pages (yikes!?), so I'll admit that it's possible that CrowdStrike's driver was doing this, but surely any competent driver/kernel-mode devs knows to never do this? (unless you're writing malware, I guess?): https://community.osr.com/t/windows-kernel-writeable-and-exe...
> > load a configuration file that contains code and then execute that code
> Citation needed (sorry!).
I'm unable to validate Dave's statements[0] but he's an retired Microsoft engineer who appears to know his stuff.
I definitely don't expect CrowdStrike to piss off their investors - they are and will be sweeping this under the rug, and possibly will change company name due to trashed reputation.
> it is hard to blame Microsoft for not checking this code
I don't blame Microsoft for the mistakes of Cloudstrike.
I DO blame Microsoft for clearly fishing in troubled waters, trying to get back control during a crisis.
Windows does have the ability to have sovereign builds (and has had this since 2016?), but the capability wasn't present when the decision was made (in 2006). Windows build is complex and tightly coupled with performance testing, telemetry collection, etc and at the time this decision was made, not feasible to do.
Reversing a change from 2006 would likely bring anti-trust action from the remainder of the world immediately, as that change from 2006 is relied on by everyone else globally today.
The EUs stance isn't bad either, as MS has a competitor in this space that also relies on a kernel driver (MDATP does use a kernel driver) and it is unlikely MS would remove its own competitor from the kernel (at least this item was not discussed during my time at MS and I was in the security space of Windows).
I don’t know why you want to absolve the EU regulators. MS was trying to lock down the kernel because Windows was quite unstable due to all the buggy kernel software everyone was using. Security was a growing concern at the time, but it was mainly the system instability. Windows was literally a joke at the time, and everyone knew what a BSOD was.
So this was a predictable (and predicted) consequence of the legislation.
And sure, MS could have released both “open kernel” SKUs and “closed kernel” SKUs, but that would have made it essentially the purchaser’s choice — which it would have been anyway with just “open kernel” SKUs, so there is literally no point.
I think you’re also suggesting that the EU would somehow continuously and independently test and certify Windows and CS software as sound and safe? The cost to do this in any substantial way would be massive — a significant fraction of the dev budgets of the products covered — Windows, CS, and all the other products covered. The entire Horizon 2025 budget wouldn’t begin to cover it.
Absolutely it wouldn't, and here is where I am saying the EU is failing the most -not considering cyber security and software resilience something to throw money at - and it shouldn't be locked up in defence budgets or other closed initiatives - it would in fact have an opportunity to create a rather sizeable bug bounty program if it wanted to.
Data and software sovereignty is likely coming and the worst thing that can happen is for everyone to end up in inoperable silos - this will make information sharing at every level more difficult.
At some point MS might also have to admit it has to fork Windows and create one more tailored to the EU regarding the different acts that are incoming.
I like that articles like this in 2006 referred to Microsoft as "Redmond" - like Microsoft was an entirely country in its own right. "Washington said" when referring to the US government is common, but I don't think you see "Cupertino said" when referring to Apple these days.
It's a technique to avoid repetition. The first paragraph starts with "Microsoft announced X", and then the second paragraph would start with "Microsoft also said Y".
By replacing the second instance with "Redmond", the article becomes easier to read because the second paragraph is now visually distinct from the first.
Right below for example, in the comment that was posted 30 minutes ago before yours.
Such companies like Microsoft or Google have so much power in the city that they usually influence a lot the local police or mayor.
For example, Microsoft, their street is called "One Microsoft Way", and Google, the HQ is protected by the Google's police instead of the municipal police.
What do you mean by Google Police? Can they use force? Throw me into prison? What are their laws? (If you can't answer that, can you me some hints for direction?)
I don't exactly know the situation at Google, but it's not entirely uncommon for orgs with large campuses to hire licensed peace officers instead of basic "security guards". A licensed peace officer is essentially the same as a police officer, with the power to arrest and carry weapons and what not. So instead of your security guard only being able to call for police, they can take police-like action immediately.
Ever drive past a large event or like a church after Sunday service and see cops out in the street directing traffic? Often those are off duty cops serving as paid peace officers.
In Texas, to have a large event where you serve alcohol (like say a wedding reception) you legally need to hire a peace officer for your security. Often people hire off duty cops, but you could hire someone who isn't a cop day to day. Anyone with a valid peace officer license can do it.
I've known people who went through all the training and decided being a cop wasn't for them. They then took jobs like "security guard" but we're paid a lot more because of their peace officer license.
"Ever drive past a large event or like a church after Sunday service and see cops out in the street directing traffic? Often those are off duty cops serving as paid peace officers. " Nope because like many folks on HN I don't live in the US.
In Germany I've never heard that Volkswagen or BASF (two companies with huge company owned areas) do have a security service which can arrest people and very likely never used their weapons.
I see now, where cyberpunk dystopia got their inspiration from. Thank you for the insight.
I don't exactly see how a security guard licensed by the state actually being able to arrest a trespasser or vandalizer instead of having to call the city police to show up well after the crime to take pictures and write some notes makes anything a cyberpunk dystopia. They're not doing investigations. They aren't enforcing laws outside of what the state has made. They have far more liability concerns than regular police officers do because they aren't acting on behalf of the state. They don't have any sovereign immunity protections.
Practically the only difference is they can do arrests on the spot and they can potentially still carry weapons in places where its normally prohibited when serving the duties as a peace officer. It is not like Google would have their own Google Police enforcing Google Law. And I imagine all the security guards at Google have also never used their weapons outside of a shooting range or hunting.
As another comment pointed out, Apple don't provide the same level of access for app developers for iPhones, yet don't have the same scrutiny. I'd wager this is partially because antivirus vendors for iPhone never existed, which weakens their standing in a legal sense.
Unlike browser and antivirus vendors for Windows, you'd be demanding the courts create a new market for you, as opposed to preventing a monopoly from removing one.
I don't have an answer, or even a specific opinion, to this. Just making an observation.