(no title)

> it will be a bit of a stretch to say Microsoft should have stopped us deploying CrowdStrike

I read GP's post to mean that if you take a step back, Windows' history of (in)security is what has led us to an environment where CrowdStrike is used / needed.

In the case of a bad Linux kernel update I would just reboot and pick the previous kernel from the boot menu. By default most Linux distributions keep the last 3. I'm not an IPMI remote management expert but it may be possible to script this.

All my machines at home run Linux except for my work laptop. It is stuck in this infinite blue screen reboot loop. Because we use Bitlocker I can't even get it into safe mode or whatever to delete the bad file. I think IT will have to manually go around to literally 8,000 work laptops and fix them individually.

MacOS has been phasing out support for third-party kernel extensions and CrowdStrike doesn't use a kernel extension there according to some other posts.

The issue with Crowdstrike on Linux did not cause widespread failures, so its clear that the majority of enterprises that do run their servers on Linux were not affected. They were invulnerable because they do not need Crowdstrike or similar.

Linux (or BSD) servers do not usually require third party kernel modules. Linux desktops might have the odd video driver or similar.

Crowdstrike on Linux is only useful for appeasing corporate auditors, and making Crowdstrike money.

If you ran "only Linux, BSD, or MacOS" on a Microsoft hypervisor, yes. I would never recommend that, and your link exemplifies one reason why.

The difference is that i van easily rollback a linux system, a complete update too, nota on windows

All of those are product that creates huge risks when deployed to mission critical environments and this is exactly the problem.

The entire wintel ecosystem depends on people putting their heads in the sand and repeating "nobody ever got fired for buying Microsoft/crowdstrike/IBM" and neglecting to run even the most trivial simulation of what happens when the very well understood design flaws of those platforms gets triggered by a QA department you have no control over drops the ball.

The problem is that as long as nobody dares recognizing that the current mono culture around the "market leading providers" this kind of event will remain really likely even if nobody is trying to break it and and extremely likely once you insert well funded malicious actors(ranging from bored teenagers to criminal gangs and geopolitical rivals).

The problem is that adding fair weather product that gives the illusion of control though fancy dashboards on the days they work is not really an substitute for proper reliance testing and security hardening but far less disruptive to companies that don't really want to leave the 90ies PC metaphor behind.

> I really like their corporate IT products that are going to push MS out as you say. I particularly love iActive Directory, iExchange, iSQLserver, iDynamics ERP, iTeams.

You’re being sarcastic, but do you like those MS products, specifically Teams?

I genuinely believe that any business that doesn’t make Teams is doing the lords work.

Most of the software you list either has a Mac version or will interop well with Apple's ecosystem and has for a decade.

The fact Apple is not trying to be a tentacular behemoth syphoning profits in every enterprise environment does not invalidate the fact macOS is secure and performant.

Apple is a tentacular behemoth in the consumer space.

Azure status/support page is amazingly amazing. Their current advice regarding virtual machines with the Crowdstrike problem? Keep rebooting!

https://azure.status.microsoft/en-us/status

I think their "product" is getting people to astroturf on forums like this!

Apple always does just as bad, if not worse, on pwn2own https://www.bleepingcomputer.com/news/apple/apple-fixes-safa... as everyone else. And there are several companies that make a lot of money installing spyware on iPhones.

Dynamics, Teams, Exchange, Active Directory all suck. There are better alternatives but CIOs are stuck in 1996. Apple themselves in their corporate IT environment use none of those things yet somehow are one of the biggest and most profitable companies in the world. Azure is garbage compared to AWS. Using Azure Blob vs S3 is a nightmare. MSSQL is garbage compared to PostgreSQL. Slack is vastly better than Teams in literally every aspect. I just did a project moving a company from AWS to Azure and it was simply atrocious. Nobody at the user level likes using MS products if they have experience using non-MS products. It’s like Bitbucket — nobody uses that by choice.

You got to admire Apple fanboy's nerve to say Apple is a better company when it comes to IT in a professional setting.

It appears whatever their basic and narrow use-case is becomes what the whole "corporate IT" is.

Windows sucks and recently Microsoft has been on a path to make it suck more, but saying Apple is better for this part of the IT universe is.. hilarious.

lol. i’ll dunk on Apple as much as i’ll dunk on any other OS, but they wouldn’t be as praised for security if they had to manage the infrastructure and users that Windows supports

> I particularly love iActive Directory, iExchange, iSQLserver, iDynamics ERP, iTeams. Apples office products are the reason noone uses Excel any more.

I see your sarcasm backfire as most you are listing is just Microsoft dog-food with no real usefulness. The only good thing in your list is Excel, all the rest is bloatware. Teams is a resource hog that serve no useful purpose. Skype was perfectly fine to send messages or have some video call.

I admit I don't have experience as an IT administator but things like managing emails, accounts, database, manage remote computers can be done with well estalished tools from the linux/BSD world.

This has been my experience.

I used to run a C++ shop, writing heavy-duty image processing pipeline software.

It did a lot, and it needed to do it in realtime, so we were constantly busting our asses to profile and optimize the software.

Our IT department insisted that we install 'orrible, 'orrible Java-based sneakware onto all of our machines, including the ones we were profiling.

We ended up having "rogue" machines, that would have gotten us in trouble, if IT found out (and I learned that senior management will always side with IT, regardless of whether or not that makes sense. It resulted in the IT department acting like that little sneak that sticks his tongue out at you, while hiding behind Sister Mary Elephant's habit).

But, to give them credit, they did have a tough job, and the risks were very real. Many baddies would have been thrilled to get their claws on our software.

Had a problem with a "slow network" from a mac to a nas drive, was capping about 800mbit a second, despite having a 10g link.

As I looked through I killed sophos. Suddenly speeds shot up above 7gbit. A few seconds later they dropped back down, sophos has retured.

A "while (true) pkill sophos" later and the malware was sedated.

Having proved it wasn't a network problem I left it with the engineer to determine the best long term solution.

Mosyle is doing their best to make Macs unusable.

Yeah, idk what they do, but in my company some new MacBook Pros with M3 are taking 15 minutes to login after typing the user password.

It's funny how that works.

Leave FAANG and most internal developers at large corporations are running Windows. It wasn't until I started at a smaller shop that I found people regularly using Linux to do their jobs, usually in a dual-boot or with a virtual Windows install "just in case" but most never touched it.

I'm presently working supporting a .NET web app (some of which is "old .NET Framework) but my work machine runs OpenSUSE Tumbleweed. I can't see that flying at the larger shops I have previously worked at. I'll admit, that might be different -- today -- I haven't worked at a large shop in more than a decade.

Depend on which FAANG I guess. Approaching now 10y at Google and I saw Windows laptops only used by very few sales people. Everyone else is either using Macs or Chromebook.

At Apple nobody uses Windows.

> which is fast and secure out of the box

Disagree. At least in the context of business networks.

My favorite example is the SMB service, which is enabled by default.

In the Linux world, people preach:

- disabling SSH unless necessary

- use at least public key-based auth

- better both public key and password

- don't allow root login

In Windows, the SMB service:

- is enabled by default

- allows command execution as local admin via PsExec, so it's essentially like SSH except done poorly

- is only password-based

- doesn't even support MFA

- is not even encrypted by default

It's a huge issue why everyone gets encrypted by ransomware.

I always recommend disabling it using the Windows firewall unless it is actually used, and if it is necessary define a whitelist of address ranges, but apparently it is too hard to figure out who needs access to what, and much easier to deploy products like Crowdstrike which admittedly strongly mitigate the issue.

The next thing is that Windows still allows the NTLM authentication protocol by default (now finally about to be deprecated), which is a laughably bad authentication protocol. If you manage to steal the hash of the local admin on one machine, you can simply use it to authenticate to the next machine. Before LAPS gained traction, the local admin account password was the same on all machines in basically every organization. NT hashes are neither salted nor do they have a cost factor.

I could go on, but Microsoft made some very questionable security decisions that still haunt them to this day because of their strong commitment to backwards compatibility.

Fun fact, these negative value garbage offerings are often “required” by box checking certifications like SOC2. Sure, if you have massive staffing to handle compliance you might be able to argue you’ve achieved the objective without this trash. The rest of us are just shrug and do it.

Some of the “compliance managers as a service” push you in this direction as well.

> Windows itself (which is fast and secure out of the box)

That's a really bold claim. I'd say Windows comes with a lot of unsafe defaults OOB.

> Yes, but that's not because of Windows itself (which is fast and secure out of the box)

I think what you're really saying is that a Windows system is secure until you apply power to the computer.

> > The Windows ecosystem typically deployed in corporate PCs or workstations is often insecure, slow, and poorly implemented

> Yes, but that's not because of Windows itself

Come on. There’s a reason Windows users all want to install crappy security products: they’ve been routinely having their files encrypted and held for ransom for the last decade.

did you really just say windows is secure out of the box?

It's because of two things:

1. Users are more comfortable running Windows and Office because it's Windows they likely used in school and on personal laptops.

2. This is the biggie: Microsoft's enterprise services for managing fleets of workstations are actually really good -- or at least a massive step up from the competition. Linux (and it's ilk) is much better for managing fleets of servers, but workstations require a whole different type of tooling. And once you have AD and it's ilk running and thus Windows administrators hired, it's often easier to run other services from Windows too, rather than having to spin up another cluster of management services.

Software focused businesses generally start out with engineers running macOS or Linux, so they wouldn't have Windows management services pre-provisioned. And that's why you generally see them utilising stuff like Okta or Google Workspace

Inertia, plus integration - AFAIK Exchange and SharePoint don't run on Linux, so if the company buys into that, then it's Windows all the way down.

Still, all this is a red herring. Using Linux instead of Windows on workstations won't change anything, because it's not the OS that's the problem. A typical IT department is locked in a war on three fronts - defending against security threats, pushing back on unreasonable demands from the top, and fighting the company employees who want to do their jobs. Linux may or may not help against external attackers, but the fight against employees (which IT does both to fulfill mandates from the top and to minimize their own workload) requires tools for totalitarian control over computing devices.

Windows actually is better suited for that, because it's designed to constrain and control users. Linux is designed for the smart user to be able to do whatever they want, which includes working around stupid IT policies and corporate malware. So it shouldn't be surprising corporate IT favors Windows workstations too - it puts IT at an advantage over the users, and minimizes IT workload.

Excel. There is no other software that can currently fill excel’s role in business. It’s the best at what it does and what it does is usually very important. Unfortunately.

I don't know, but I would guess that Microsoft Office is what retains people; personal anectodal experience suggests that anything else (Apple's offerings, Google Docs, LibreOffice &c.) is not acceptable to the average user. My suspicion is that Microsoft would be very unhappy to have MS Office running successfully on Linux systems.

> These companies still have IT departments

A lot actually don’t, in any meaningful sense. My partner’s company has a skeleton IT staff with all support requests being sent offshore. An issue with your laptop? A new one gets dispatched from ??? and mailed to you, you mail the old one back, presumably to get wiped and redispatched to the new person that has a problem.

Tooling, infra, knowledge? The only reason why people are talking about "issues in Windows" because people are widely using it.

If linux had software anywhere close to the amount that windows has, it would have experienced the same issues too. After all it is not just about running a server and tinkering with config files. It is about ability to manage the devices, rolling out updates and so on.

Office. The entire world runs on Excel, Word and Powerpoint. Unfortunately.

Word, Excel, Powerpoint and all the other windows software. Plus all the people that know how to use the windows software vs Linux equivalents (if they exist).

Purchasing decisions are made by purchasing managers. Purchasing managers spend their time torturing numbers in spreadsheets, writing reports, and getting free lunches from channel sales reps. Microsoft is just a sales organization with some technical prowess, and their channel reps are very effective.

Technical arguments, logic, and sense do not contribute much to purchasing decisions in the corporate world.

The business world runs on Windows, no way around that unless you only need a simple cash register and inventory software.

I'd say something implementing the ideas of NixOS, i.e. immutable versioned systems and declarative system definitions, is poised to replace the current deployment mess, which is extremely fragile.

With NixOS, you can upgrade without fear, as you can always roll back to a previous version of your system. Regular Linux distributions, macOS, and Windows make me very nervous because that is not the case.

> foss

Because you just want stuff to work and couldn't care less about the ideology part?

Also no feature parity (it's not about Windows being "better" than Linux or the other way around, none of that matters) there are not out of the box solutions to replace some of the stuff enterprise IT relies in Windows/etc. which would mean they'd have to hire expensive vendors to recreate/migrate their workflows. The costs of figuring out how to run all of your legacy Windows software, retraining staff etc. etc. would be very significant. Why spend so much money with no clear benefits?

To be fair I'm not sure how Apple figures into this. They don't really cater to the enterprise market at al..

When I took a Linux course in college I had an old laptop that I installed Linux on. However, for some reason my wireless card wouldn't work. I mentioned it to my professor and the next day he told me "It's actually quite simple, you just have to open up the source code for the wireless driver and make a one line change."

Maybe things have gotten better, but I think that's why people use Mac. It's POSIX but without having to jump through arcane hoops.

Because for some people (certainly not all), their objection is not to a "corporate" OS, but to the specific things Microsoft does that Apple does not.

Because there is software that runs only on certain OSes, and not others.

A lot of active directory defaults are wildly insecure, even on a newly built domain, and there are a lot of active directory admins out there that don't know how to properly delegate as permissions.