Monday, 29 July 2024

Free Software Foundation: ‘Let’s Point To A Better Way’ Post-CrowdStrike

The Free Software Foundation (FSF) says the industry need “to take the opportunity to look at the situation and see how things could have gone differently” as it pertains to CrowdStrike.

CrowdStrike pushed an updated to its cybersecurity update that crippled millions of Windows PCs around the world, bringing multiple industries to their knees. Because CrowdStrike’s software runs at the kernel level, it was nearly impossible to resolve the issue without physical access to the affected machines.

The FSF says the industry needs to learn from the incident, citing a number of issues that led to the outage, including automatic updates:

Let’s be clear: in principle, there is nothing ethically wrong with automatic updates so long as the user has made an informed choice to receive them. For instance, it’s perfectly understandable that a public library might not want to pore over kernel changelogs; they simply want to receive the update and move on with their work. At the same time, software bugs happen. Free software developers know this better than anyone. The Linux(-libre) kernel does not have some mystic immunity to them. What our community does have is a social structure that, most likely, would have rectified the situation swiftly.

The FSF also takes Microsoft to task for blaming CrowdStrike’s access to the Windows kernel as one of the main reasons for the outage:

In a cunning PR spin, it appears that Microsoft has started blaming the incident on third-party firms’ access to kernel source and documentation. Translated out of Redmond-ese, the point they are trying to make amounts to “if only we’d been allowed to be more secretive, this wouldn’t have happened!” Anyone with so much as a basic understanding of software development can see that this argument doesn’t hold water, just as anyone with a basic understanding of rhetoric can appreciate the irony that the same company that develops Copilot is whinging about the need to keep code secret from others. At this very minute, Copilot is ingesting free software on Microsoft’s proprietary platform, GitHub, with little respect for each program’s license.

In our own coverage of CrowdStrike, we pointed out our belief that the situation is slightly more nuanced than the above quote would make it seem. While open-source software does have a good track record with security—thanks to the source being easily inspected and audited—Microsoft being forced to open up kernel access is not an apples to apples comparison.

Windows is closed-source software. Similarly, much of CrowdStrike’s software is closed-source as well. As a result, CrowdStrike’s access to the Windows kernel is combining the worst options, namely marrying two closed-source platforms. Because both platforms are closed-source, they don’t benefit from the same open nature as true open-source software, and lack the transparency and ability to inspect and audit the code.

Nonetheless, the FSF is right that something needs to change:

We also need to see that calling for a diversity of providers of nonfree software that are mere front ends for “cloud” software doesn’t solve the problem. Correcting it fully requires switching to free software that runs on the user’s own computer.

The Free Software Foundation is often accused of being utopian, but we are well aware that moving airlines, libraries, and every other institution affected by the CrowdStrike outage to free software is a tremendous undertaking. Given free software’s distinct ethical advantage, not to mention the embarrassing damage control underway from both Microsoft and CrowdStrike, we think the move is a necessary one. The more public an institution, the more vitally it needs to be running free software.



from WebProNews https://ift.tt/cfnvXpO

No comments:

Post a Comment