Windows security just got worse
Well, it didn’t really get any worse, we just found another way in which it’s already horrible.
Like you, I woke up Friday morning to newsfeeds full of stories about the “Worldwide Tech Outage” wreaking havoc on businesses from tiny to titan. This is all blamed on CrowdStrike, a “global technology company” that apparently pushed out an oxymoronic broken fix to some Microsoft software resulting in a pandemic of infinitely recursive Blue Screens of Death.
And there is a fix, but it can’t be performed remotely so every one of the millions of affected computers must be individually coaxed through a non-trivial sequence of hands-on actions that will allow the administrator to delete the offending file and then perform a reboot — hopefully with better results. One ZDNET article lists the steps required to perform this arcane trickery necessary to convince Winblowz to boot into a “safe mode” or “recovery environment” in order to perform an excision of the offending cancerous code.
The first problem I see here, as a few others have already noted, is a complete failure to test the code being pushed out to millions of computers. The fact that any reasonably competent organization could fail so miserably at what should have been a simple test is so appalling that it leaves me thrashing around my thesaurus for words that can convey the extent of my disbelief. I haven’t found any. Yes, I have been a tester, so I understand that process.
The second problem is that of arbitrarily blasting out code, tested or not, to the entire planet without the knowledge or explicit approval of the organizations at the receiving end. Of course, this is aided and abetted by the PHBs (Pointy Haired Bosses) who, thinking to save a few pennies by offloading critical infrastructure and administrative oversight, sign contracts that allow them to abdicate responsibility for whatever might happen. No one in the organizations that sign up for such services know when anything is going to happen, whether its the service provider pushing out a new, but good, fix, or an astoundingly broken fix. And how would anyone at the affected organizations know, even if they had been notified, that the fix was destined to be a global tech meltdown?
The third problem is that Windows requires a crapload of anti-malware software and services which is what Crowdstrike provides. It probably feels good to those PHBs — or whoever decided that outsourcing IT was a good idea — to transfer that workload and responsibility to an outside entity. Those who provide these services, Crowdstrike or otherwise, have no interest in fixing Windows. Microsoft has no interest in fixing Windows. The malware ecosystem that has encrusted Windows generates huge profits for Microsoft and all the anti-malware vendors. If you make your money from broken stuff, what would be your incentive for fixing it?
I have no suggestions for fixing those problems. Frankly — that’s not my job!
All I can do is protect myself by using Linux.
Although Linux is not impervious to problems, it is much more secure from the moment it’s installed. I’ve never used Windows as the primary operating system on any of my personal computers — EVER! And I never will because — all the above and more.
I won’t repeat all my reasons for using Linux. But, if you’re interested, you can read about it here: Why I Use Linux.