> Who is Microsoft to decide what others do on their machines?
That would be an amazing rant had it only ended with "Sent from my iPhone".
Since the Blaster worm incident two decades ago, we're in a new era where security at scale becomes the forefront responsibility of the companies developing the product. That includes writing more secure code, having more verifications in place, adopting more secure technologies, but also, limiting user capabilities in order to avoid at scale security incidents.
This isn't about Microsoft. Some of these "forced" limitations are: UAC (User Access Control)/SUDO, Bitlocker/Full disk encryption, App sandboxing/On-demand permissions, Signed firmware and boot mechanisms, signed release binaries, Jailbreak-protections, Limitations on raw packet operations, auto-installed updates, forced security updates, closed source code, built-in anti-malware.
When you have a billion devices running around the world, you can't say "hey we'll let this arbitrary group of billion people do what they think is best for them", because you then end up with Blaster worm, and the whole Earth falls apart.
Think about the more recent CrowdStrike incident. That kind of deployment has been performed by professionals, not even regular people, and yet, it's managed to bring down the entire world to its knees. People might have died because of CrowdStrike.
CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine. Now, people are begging Microsoft to adopt a more isolated, user-mode-only device driver system, so this kind of incident won't happen. Yes, some users who want to install their precious kernel driver could have problems, but at least the world would keep running.
Microsoft is nowhere to be blamed about this. Secure defaults is the responsibility of every product that intends to be used at scale.
If you'd like, you can disable Secure Boot, keep your data in plaintext on your hard drive, let all applications run as root, and you'd be the most powerful user in the universe. I'm all for personal freedom to disable the security features, but, at scale defaults must always prefer security over capability. That's not about Microsoft, or Google, or Apple. That's about at scale risk management.
The Blaster rworm did not in fact make the whole earth fall apart. Stop scaremongering.
> When you have a billion devices running around the world
This is exactly the point: Microsoft does NOT have those billions of devices, their users do.
> CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine.
Crowdstrike happened because the corpration behind it had direct control over the computers it was running on and the ability to install security updates without the user's consent. They even ignored configuration that was supposed to delay updates for critical machines. Spinning this as some kind of failure of user empowerment instead of a consequence of the same kind of ownership inversion that secure boot and other DRM brings is absurd.
> at scale defaults must always prefer security over capability
And that's exactly how you end up in a dystopia. Because the demand for increased security never ands and can be used to justify any and all loss of freedom.
> The Blaster rworm did not in fact make the whole earth fall apart. Stop scaremongering.
Blaster was a wake-up call, caused DDoS on servers, and kickstarted similar variants like SQL Slammer, Sasser, Conficker that hindered many services around the world. Stop dismissing real threats because you haven't personally affected by them.
> This is exactly the point: Microsoft does NOT have those billions of devices, their users do.
Do you prefer a billion unpatched systems roaming around with all ports open and running all programs as admin? Why are you against as secure defaults?
> Because the demand for increased security never ands and can be used to justify any and all loss of freedom.
If you don't like secure defaults, just turn them off. If you don't like how Windows does something, use an alternative. What dystopia are you talking about?
Blaster was Microsoft's own incompetence. CrowdStrike was CrowdStrike's own incompetence. They are free to fix the problems of their own doing. But messing with software you do not own, on machines you do not own, crosses a line and should be considered an act of aggression. What if some Linux distro releases an update that deletes any installations of Windows it finds "because Windows is insecure" (according to them)?
people are begging Microsoft to adopt a more isolated, user-mode-only device driver system, so this kind of incident won't happen
Those people are, to put it bluntly, either authoritarian idiots or corporate shills. They want to give more control to Microsoft, but it's not like M$ is all that competent either, as what this article and past fiascos (like the Blaster you mentioned) have already shown, so they're going to just make things worse for everyone.
CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine.
And crimes happen because people still have freedom. Doesn't mean we should start imprisoning (or enslaving to the machine) everyone from birth.
"Freedom is not worth having if it does not include the freedom to make mistakes."
All security bugs are result of incompetence. Massive DoS incidents are result of scale. Use your magic wand, bring Linux to 90% desktop OS marketshare, and see how one malware destroys an order of magnitude more Linux devices than Windows.
> They want to give more control to Microsoft
No, they want secure defaults, not less control.
> And crimes happen because people still have freedom.
Okay, let me extend that whataboutism with "hey why do we have laws that limit people's freedom, let's remove all the laws if people are entitled to infinite freedom, and can be trusted with their judgement".
> When you have a billion devices running around the world, you can't say "hey we'll let this arbitrary group of billion people do what they think is best for them", because you then end up with Blaster worm, and the whole Earth falls apart.
The bug is in the fact that billions of machines are running exactly the same proprietary software.
Following the "virus" metaphor, having billions of identical organisms is how you get pandemics, mass die-offs, and extinctions.
That would be an amazing rant had it only ended with "Sent from my iPhone".
Since the Blaster worm incident two decades ago, we're in a new era where security at scale becomes the forefront responsibility of the companies developing the product. That includes writing more secure code, having more verifications in place, adopting more secure technologies, but also, limiting user capabilities in order to avoid at scale security incidents.
This isn't about Microsoft. Some of these "forced" limitations are: UAC (User Access Control)/SUDO, Bitlocker/Full disk encryption, App sandboxing/On-demand permissions, Signed firmware and boot mechanisms, signed release binaries, Jailbreak-protections, Limitations on raw packet operations, auto-installed updates, forced security updates, closed source code, built-in anti-malware.
When you have a billion devices running around the world, you can't say "hey we'll let this arbitrary group of billion people do what they think is best for them", because you then end up with Blaster worm, and the whole Earth falls apart.
Think about the more recent CrowdStrike incident. That kind of deployment has been performed by professionals, not even regular people, and yet, it's managed to bring down the entire world to its knees. People might have died because of CrowdStrike.
CrowdStrike happened because one of the "user-empowering" features: ability to install kernel drivers on a machine. Now, people are begging Microsoft to adopt a more isolated, user-mode-only device driver system, so this kind of incident won't happen. Yes, some users who want to install their precious kernel driver could have problems, but at least the world would keep running.
Microsoft is nowhere to be blamed about this. Secure defaults is the responsibility of every product that intends to be used at scale.
If you'd like, you can disable Secure Boot, keep your data in plaintext on your hard drive, let all applications run as root, and you'd be the most powerful user in the universe. I'm all for personal freedom to disable the security features, but, at scale defaults must always prefer security over capability. That's not about Microsoft, or Google, or Apple. That's about at scale risk management.