Let's not celebrate CrowdStrike -- let's point to a better way
Quoting: Let's not celebrate CrowdStrike -- let's point to a better way —
Let's be clear: in principle, there is nothing ethically wrong with automatic updates so long as the user has made an informed choice to receive them. For instance, it's perfectly understandable that a public library might not want to pore over kernel changelogs; they simply want to receive the update and move on with their work. At the same time, software bugs happen. Free software developers know this better than anyone. The Linux(-libre) kernel does not have some mystic immunity to them. What our community does have is a social structure that, most likely, would have rectified the situation swiftly.
What free software offers is a diversity of choice. Although we can understand how the situation developed, one wonders how wise it is for so many critical services around the world to hedge their bets on a single distribution of a single operating system made by a single stupefyingly predatory monopoly in Redmond, Washington. Instead, we can imagine a more horizontal structure, where this airline and this public library are using different versions of GNU/Linux, each with their own security teams and on different versions of the Linux(-libre) kernel. For example, a library in Vietnam wouldn't necessarily be dependent on an American software company for their day-to-day work.
As of our writing, we've been unable to ascertain just how much access to the Windows kernel source code Microsoft granted to CrowdStrike engineers. (For another thing, the root cause of the problem appears to have been an error in a configuration file.) But this being the free software movement, we could guarantee that all security engineers and all stakeholders could have equal access to the source code, proving the old adage that "with enough eyes, all bugs are shallow." There is no good reason to withhold code from the public, especially code so integral to the daily functioning of so many public institutions and businesses.
WebProNews:
-
Free Software Foundation: 'Let's Point To A Better Way' Post-CrowdStrike
The Free Software Foundation (FSF) says the industry need “to take the opportunity to look at the situation and see how things could have gone differently” as it pertains to CrowdStrike.
CrowdStrike pushed an updated to its cybersecurity update that crippled millions of Windows PCs around the world, bringing multiple industries to their knees. Because CrowdStrike’s software runs at the kernel level, it was nearly impossible to resolve the issue without physical access to the affected machines.
The FSF says the industry needs to learn from the incident, citing a number of issues that led to the outage, including automatic updates...