WingNews logo WingNews
top | item 41018171

(no title)

ScottBurson | 1 year ago

Really interesting to me that none of the commentators I've seen in the press have even hinted that maybe an OS that requires frequent security patches shouldn't be used for infrastructure in the first place. For just one example, I've seen photos of BSODs on airport monitors that show flight lists -- why aren't those built on Linux or even OpenBSD?

Security is not a feature that can be layered on. It has to be built in. We now have an entire industry dedicated to trying to layer security onto Windows -- but it still doesn't work.

discuss

order

nullindividual|1 year ago

> why aren't those built on Linux or even OpenBSD

The vendor who makes the software has always written for Windows (or in reality, wrote for either DOS or OS/2 then transitioned to NT4). History, momentum, familiarity, cost, and ease of support all are factors (among others, I'm sure).

Security is a process, not a product.

And yes, distros require frequent updates, though more to your point, you can limit the scope of installed software. I'm sure airport displays don't need MPEG2, VP1 and so on codecs, for instance.

It's also important to remember that there is a lot of 'garageware' out there with these specialized systems. Want SAML/OIDC support? We only support LDAP over cleartext, or Active Directory at best. Want the latest and greatest version of Apache Tomcat? Sorry, the vendor doesn't know how to troubleshoot either, so they only "support" a three year old vulnerable version.

Ran into that more than a few times.

Given the hypothesis of what caused the BSOD with Crowdstrike (NUL pointer), using a safe language would have been appropriate -- it's fairly easy in this case to lay the blame with CS.

Microsoft supplies the shotgun. It's the vendors responsibility to point it away from themselves.

pwg|1 year ago

> I'm sure airport displays don't need MPEG2, VP1 and so on codecs, for instance.

They don't, until the day the airport managers are approached by an advertising company waving the wads of cash the airport could be 'earning' if only they let "AdCo" display, in the top 1/4 of each screen, a video advertising loop. At which point, those displays need the codecs for "AdCo's" video ads.

joe_the_user|1 year ago

Wow,

Security is a process, not a product...

The vendor who makes the software has always written for Windows (or in reality, wrote for either DOS or OS/2 then transitioned to NT4). History, momentum, familiarity, cost, and ease of support all are factors (among others, I'm sure)...

That's starting the argument with "weight loss is about overall diet process, not individual choices" and then hopping to "ice cream for dinner is good 'cause it's convenient and I like it".

The statement "Security is a process, not a product." means you avoid shitty choices everywhere, not you make whatever choices are convenient, try to patch the holes with a ... product ... and also add an extra process to deal with the failures of that product.

Drygord|1 year ago

[deleted]

politelemon|1 year ago

> an OS that requires frequent security patches > Security is not a feature that can be layered on. It has to be built in

This is a common misunderstanding, an OS that receives frequent security updates is a very good thing. That means attention is being paid to issues being raised, and risks are being mitigated. Security is not a 'checkbox' it's more of a neverending process because the environment is always in a state of flux.

So to flip it, if an OS is not receiving updates, or not being updated frequently, that's not great.

What you want is updates that don't destabilize an OS, and behind that is a huge history and layers of decisions at each 'shop' that runs these machines.

Security is meant to be in layers and needs to be built in.

> but it still doesn't work.

It does work because the 'scene' has been silent for so long, but what we as humans notice is the incident where it didn't.

hedora|1 year ago

This sort of thinking is one of the main problems with the industry, in my opinion.

We've got a bunch of computers that mostly don't make mistakes at the hardware layer. On top of that, we can write any programs we want. Even though the halting problem exists, and is true for arbitrary programs, we know how to prove all sorts of useful security properties over restricted sets of of programs.

Any software security pitch that starts with "when the software starts acting outside of its spec, we have the system ..." is nonsense. In practice, "acting outside its spec" is functionally equivalent to "suffers a security breach".

Ideally, you'd use an operating system that has frequent updates that expand functionality, that is regularly audited for security problems, and that only rarely needs to ship a security patch. OpenBSD comes to mind.

If software has frequent security updates over a long period of time, that implies that the authors of the system will continue to repeat the mistakes that led to the vulnerabilities in the first place.

dotancohen|1 year ago

Remote update is a nice way of saying remote code execution. It is really really hard to ensure that only the entity that you want to update your system, can update your system, when facing a state-funded adversary. Sometimes that state adversary might even work in concert with your OS vendor.

That's before even addressing mistakes.

Alteran|1 year ago

Frequent security updates are a good thing, frequent security auto-updates are not, at least when it comes to situations like this. Technology that runs 24 hour services such as airports and train stations should not be updated automatically just like that, because all software updates have high potential to break or even brick something. Automation is convenient and does saves money which would have to be paid for additional labor to do manual updates, but in cases like this, it should be understood that it's better not to break the airport and roll-out update manually in stages.

wil421|1 year ago

Airport staff need to be able to support them. Not HN types.

Most people know how to use a windows computer.

Most IT desktop support knows how to use and manage windows. Even building facilities folks can help support them.

Microsoft makes it easy to manage a fleet of computers. They also provide first party (along with thousands of 3rd parties) training and certifications for it.

Windows are the de facto Business Machines.

Most signage companies use windows.

Finding someone who knows a BSD is not easy.

advael|1 year ago

Most people don't know how to tell what's going wrong with a windows computer

A windows computer that relies on cloud services, as an increasing and often nonsensical subset of the functionality on one does, can often only be fixed by Microsoft directly

Microsoft intervenes directly and spends billions of dollars annually on anticompetitive tactics to ensure that other options are not considered by businesses

And with this monopoly, it has shielded itself from having to compete on even crucial dimensions like reliability, maintainability, or security

commercialnix|1 year ago

> Airport staff need to be able to support them.

I know of a very small airport where what is displayed over the HDMI part is essentially Firefox at fullscreen with powersaving disabled so the screen does not blank. Some of them are Intel NUC, some of them are Raspberry Pi with HSM in a box. These devices basically "boot to Firefox" with relevant credentials read off internal TPM/HSM.

Those among airport staff who do not know how to use a computer at all can get them working by just plugging them in.

> Most people know how to use a windows computer.

They know enough to open a browser.

> Most IT desktop support knows how to use and manage windows.

They know how to cope with Windows, at best.

> Finding someone who knows a BSD is not easy.

BSD is everywhere and in far more places than Windows, like almost every car sold after 2014. But you never ever see BSD because it's already-working with nothing for the end customer to do.

jjav|1 year ago

> Airport staff need to be able to support them. Not HN types.

Airport staff are not debugging the windows install. They power-cycle it and see what happens, otherwise call the vendor to come in.

So there's no actual reason other than lazyness to build kiosk mode computers on windows.

mkoubaa|1 year ago

Airport staff don't maintain infrastructure, at best they maintain front ends to it

fifteen1506|1 year ago

Yup.

Another take to be done here is: computers shouldn't have unfiltered internet access all the time.

Whitelist it and once every 3 days open the internet gates.

(Easier said than done)

late2part|1 year ago

I know a BSD. Half of the things you wrote above are wrong.

citrin_ru|1 year ago

For many CTO/CISO it is more important to have a good target to shift responsibility when things go awry than to have a reliable/secure system. A Big Brand is a good target, an open-source project like OpenBSD is not. I doubt any CTO will be fired for choosing Widnows+CrowdStrike (instead of Linux/BSD) despite many million losses.

"Nobody ever gets fired for buying IBM" is as true as ever at least in the corporate world.

commercialnix|1 year ago

> I doubt any CTO will be fired for choosing Widnows+CrowdStrike (instead of Linux/BSD)

I was personally involved in a meeting where my firm's leadership advised a client who did fire their CTO and a bunch of other people for what was ultimately putting what they thought were smart career moves over their actual responsibilities.

Unfortunately, as you did just point out, the CEO, other execs, and board are often just as incompetent as the CTO/CISO who have such shit-brained mindset.

dopylitty|1 year ago

Or don't use an OS at all. We need to think about minimizing the use of software in critical infrastructure. If that means less efficiency because you have to be near something to maintain it then so be it. That would be good for jobs anyway.

Osiris|1 year ago

Even unikernel applications have an OS compiled into the application. It's necessary to initialize the hardware it's running on, including the CPU and GPU and storage.

I suppose you could build it as a UEFI module that relies on the UEFI firmware to initialize the hardware but then you get a text only interface. But then the UEFI is the OS.

But this outage was not an OS problem. It was an application bug that used invalid pointers. If it was a unikernel it still would have crashed.

antihero|1 year ago

How exactly would a lot of end user systems function without one?

LVB|1 year ago

To pick on your airport example a bit… all of the times I’ve gotten to enjoy a busted in-seat entertainment system, I’ve found myself staring at a stuck Linux boot process. This goes well beyond the OS.

fxtentacle|1 year ago

It's typically Android.

ta1243|1 year ago

Those sorts of things just need to boot to a web browser in full screen with some watchdog software in the background, launching from a read only disk (or network image). Get a problem, just unplug it and plug it back in. Make it POE based so you can easily do it automatically, stick them on a couple of distros (maybe even half on bsd, half on linux, half using chrome, half on firefox)

polski-g|1 year ago

A web browser is an unbelievably complex piece of software. So complex that there are now only two. And also so complex that there are weekly updates because there's so many security holes.

tester756|1 year ago

>We now have an entire industry dedicated to trying to layer security onto Windows -- but it still doesn't work.

What makes you think so?

How is Linux better in that area?

hi_hi|1 year ago

I'm sure we've all heard the phrase "We're a Windows shop" in some variation.

I understand the reasons for it, and why large, billion dollar companies try to create some sort of efficiency by centralising on one "vendor", but, then this happens.

I don't know how to fix the problem of following "Industry Trends" when every layer above me in the organisation is telling me not to spend the time (money) to investigate alternative software choices which don't fit into their nice box.

Osiris|1 year ago

The outage was not because of the OS. It was a kernel driver that attempted to use invalid memory.

The same thing crash could happen with any kernel driver in any operating system.

You've never seen Linux crash because of a driver bug?

stefan_|1 year ago

I read the T&C of this CrowdStroke garbage and they have the usual blurb about not using it in critical industry. Maybe we just charge & arrest the people that put it there and this checkbox-software mess stops real quick.

AceyMan|1 year ago

/set Devil's Advocate mode:

from the reporting so far, no one has died as a result of the Crowdstrike botch. For my money, that sounds like it's not being used in 'critical industry'.

/unset

There were several 911 service outages included in the news yesterday, so I would definitely say agree those fall into the category. I haven't seen how many hospitals were deeply affected; I know there were several reports of facilities that were deferring any elective procedures.

delfinom|1 year ago

The public T&C is for small businesses. Any large business is going to be negotiating very different terms which are not public.

Rinzler89|1 year ago

>Really interesting to me that none of the commentators I've seen in the press have even hinted that maybe an OS that requires frequent security patches shouldn't be used for infrastructure in the first place.

Nobody's commenting on that because it's the wrong thing to focus on.

1) This fuckup was on CrowdStrike's Falcon tool (basically a rootkit) bricking Windows due to a bad kernel driver they pushed out without proper hygiene, not on Windows's security patches being bad.

2) Linux also needs to get patches all the time to be secure (remember XZ?) It's not just magically secure by default because of the chubby penguin but is only as secure as it's most vulnerable component, and XZ proved it has a lot of components. I'd be scared if a long period goes by and I see no security patches being pushed to my OS. Modern software is complex and vulnerabilities are everywhere. No OS is ever bug-free and fully bullet proof in order to believe it can be secure without regular patches. Other than TempleOS of course.

The lesson is whichever OS you use, don't surrender your security to a single third party vendor who you now have to trust with the keys of your kingdom as that now becomes your single point of failure. Or if you do be sure you can sue them for the damages.

Osiris|1 year ago

It's shocking to me how many people on HN are not understanding this concept that Windows had nothing to do with it.

It's just a likely they could crash a Linux machine by releasing an update to their Linux software that also referenced invalid memory.

Am I the only one that's seen drivers in Linux cause a kernel panic?

citrin_ru|1 year ago

> Linux gets security patches all the time

1) While CrowdStrike can be run on Linux it is less of a risk to use Linux without it than Windows. I don't think most Linux/BSD boxes would benefit from it. It could be useful for a Linux with remotely accessible software of questionable quality (or a desktop working with untrusted files) but this should not be the case for any critical system.

2) There is a difference between auto-updates (common in Windows world) and updates triggered manually only when it is necessary (and after testing in non-prod environment). Also while Linux is far from being bug-free, remotely exploitable vulnerabilities are rare.

jijji|1 year ago

every year multiple times per year there's reports of Microsoft Windows systems having either mass downtime or exploitation.... it's kind of amazing that critical systems would rely on something that causes so much frustration on a regular basis.... I've been running systems under Linux and Unix for decades and never had any down time... so I don't know I mean it's nice to know that Linux is pretty solid and always has been the worst that's ever happened has been like a process that might go down during an upgrade, but never the whole system.

giancarlostoro|1 year ago

> why aren't those built on Linux or even OpenBSD?

Or even ChromeOS which has insane security.

> but it still doesn't work.

It works momentarily but there will always be 0-days the people who make the exploits intimately know the windows API internals.

echoangle|1 year ago

> Or even ChromeOS

ChromeOS is a Linux distro BTW

Drygord|1 year ago

Linux is vulnerable too (but not as vulnerable as windows of course) it’s just not targeted by hackers because it’s market share is so small. That wouldn’t be the case if, say, half of all users ran Linux.

smcleod|1 year ago

There are far more servers running linux/bsd than there are Windows.

makapuf|1 year ago

It's market share on servers (a juicy target) is not small at all.

balls187|1 year ago

I've never managed linux IT departments--how well are the management tools compared to what Microsoft offers such as tooling for managing thousands of computers across hundreds of offices.

beefnugs|1 year ago

Layering is absolutely possible, but more at the network layer than the individual computer layer.

Minimal software and OS running on linux as a layer between any windows/whatever and internet connectivity. Minimize and control the exact information that gets to the less hardened and trustworthy/complicated computers

Osiris|1 year ago

Remember when operating systems only got updates through service packs?

We moved to a more frequent update cycle because when a critical vulnerability was found, no one wanted to wait 6-12 months for the service pack.

delfinom|1 year ago

I'm sorry but even Linux requires frequent security updates due it's large ecosystem of dependencies. It's more or less required by every cyber security standard to update them just like windows.

blablabla123|1 year ago

On the other hand OpenBSD doesn't require very frequent patching assuming a default install which comes with batteries included. For a web server there's just one relevant patch since April for 7.5: https://www.openbsd.org/errata75.html

advael|1 year ago

I agree that all dependencies should be treated as attack surface. For that reason, systems for which dependencies can be more tightly controlled are inherently more secure than ones for which they can't. The monolithic and opaque nature of windows and other proprietary software makes them harder to minimize risk about in this way

lr4444lr|1 year ago

That's beyond their level of comprehension.

marban|1 year ago

Security is not a feature that can be layered on.

There's an entire industry for guard-railing LLMs now. Go figure.

advael|1 year ago

In the current economic environment, something doesn't have to be wise or even feasible to have an "industry"

dheera|1 year ago

> why aren't those built on Linux or even OpenBSD?

Because in the non-Silicon-Valley world of software, if you pick Linux and it has issues, fingers will get pointed at you. If you pick Windows and it has issues, fingers will get pointed at Microsoft.

hedora|1 year ago

This sort of emergent behavior is a feature, not a bug.

Operating systems that don't require frequent security patches aren't profitable.

Anyway, this is the step of late-phase capitalism that comes after enshittification. Ghost in the Shell 2045 calls it "sustainable war". I'd link to an article, but they're all full of spoilers in the first paragraph.

It probably suffices to say that the series refers to it as capitalism in its most elegant form: It is an economic device that can continue to function without any external inputs, and it has some sort of self-regulatory property that means the collateral damage it causes is just below the threshold where society collapses.

In the case of Cloud Strike, the body count is low enough, and plausible deniability is low enough that the government can get away with not jailing anyone.

Instead, the event will increase the money spent on security theater, and probably lead to a new regulatory framework that leads to yet-another layer of mandatory buggy security crapware (which Cloud Strike apparently is).

In turn, that'll lower the margins of anyone that uses computers in the US by something like 0.1%, and that wealth will be transferred into the industry segment responsible for the debacle in the first place. Ideally, the next layer of garbage will have a bigger blast radius, allowing the computer security complex to siphon additional margins.

noduerme|1 year ago

I don't think CS type endpoint protection is appropriate for a lot of cases where it's used. However:

Consider the reasons people need this endlessly updated layer of garbage, as you put it. The constant evolution of 0-days and ransomware.

I'm a developer, and also a sysadmin. Do you think I love keeping servers up to the latest versions of every package where a security notice shows up, and then patching whatever that breaks in my code? I get paid for it, but I hate it. However, the need to do that is not a result of "late-stage capitalism" or "enshittification" providing me with convenient cover to charge customers for useless updates. It's a necessary response to constantly evolving security threats that percolate through kernels, languages, package managers, until they hit my software and I either update or risk running vulnerable code on my customers' servers.

Ylpertnodi|1 year ago

[deleted]

akira2501|1 year ago

> I've seen photos of BSODs on airport monitors that show flight lists

The kiosk display terminal is not something I care about that much.

> We now have an entire industry dedicated to trying to layer security onto Windows

Too bad we have no such layering in our networks, our internet connections, or in our authentication systems.

Thinking about it another way there's actually no specific system in place to ensure your pilot does not show up drunk. We don't give them breathalyzers before the flight. We absolutely could do this even without significant disruption to current operations.

We have no need to actually do this because we've layered so many other systems on top of your pilot that they all serve as redundant checks on their state of mind and current capabilities to safely conduct the flight. These checks are broader and tend to identify a wider range of issues anyways.

This type of thinking is entirely missing at the computer network and human usability layer.