Now Microsoft just sounds like pre-Brexit Britain. Why reflect on your own shortcomings when you can blame the EU instead :)
I suggest Microsoft follows Britain's example and leaves. The main difference is that we Europeans actually miss the Brits, whereas nobody would miss Microsoft and its shoddy products and business practices.
On a more serious note, I fully understand that the Digital Markets Act is causing Microsoft headaches. But I think this headache is well deserved. Big Tech has been building moats where they should have built bridges, and now our computing landscape resembles medieval Germany where everything was at the mercy of a few feudal lords. It is time to drive out those lords and reshape software in a way that empowers, not enslaves.
Apple did, Microsoft is working on eBPF for Windows[1] but I doubt they'll sunset their kernel modules support. At the very least, it means there are safer ways to load third-party code in the kernel without allowing them to crash your entire system by mistake. Even if kernel modules are still supported, a compliance framework may introduce a "No kernel module" requirement, just like they require a CrowdStrike-like software to be installed.
However, doing so is no easy feat. The first version of eBPF was released over 10 years ago.
Why would Microsoft even bother making this comment? Is the outage in some part their fault? I was under the impression it had everything to do with the botched croudstrike update, and nothing to do with Windows itself. This could have just as well happened with some widely deployed antivirus running in the Linux kernel.
The headline is clickbait.
Microsoft is saying why they couldn’t secure the kernel against such an attack, and are right in saying that the EU prevents them from closing it off to third parties.
They are not saying the EU is the root cause of the failure, just that they cannot close the hole currently due to the EU.
What they leave out is that they could choose to integrate Defender into the OS for free, thereby removing it as a product to compete against. They could also move Defender to not require kernel hooks either. Neither are options they want to consider currently.
Integrating Defender sounds like it would create an antitrust issue? If I remember correctly, MS was in the past taken to court and forced to sell some product or other separately, when they previously provided it for free.
No comment about being able to move Defender to not require kernel hooks (I don't know).
> Why would Microsoft even bother making this comment? Is the outage in some part their fault?
Two reasons:
1 - Few people understand anything about how their computer (/car/stove/phone/medicine/...) works -- they spend their time on other things.
Without any model of how their device works its easy to misassign responsibility (see how many people think that Safari is Google or vice versa). So it's in MS's interest to try to get the message out. Of course people do this when they are at fault as well.
2 - EU is in a wave of beating up* on certain large companies. This can also be an opportunistic way to push back.
* I am not implying whether I think the EU is correct or not.
MS is damned if they do damned if they don’t. You can already see it in the comments. “They had 15 years to fix this”, “this na an excuse”, “they are already on the attack” etc.
If MS had blocked these type of things people would be in here complaining about antitrust and MS is evil.
HN and in general the software community has a hate-boner for Microsoft, it is almost tradition at this poin.
While the hate is valid in many cases, I've observed that the cribbing about it has also been unwarranted or unjustified a lot of the time (also no other corp is held to the same standard) - and this is a prime example.
MS cannot legally restrict third party kernel. Apple can, bc they didn't get struck down like MS did.
MS has an option to not bundle Defender with their OS, which would let them lock the kernel to avoid the anti-trust restrictions, but that would be an insane decision to make.
Every time something like this comes up - people are unwilling and incapable of comprehending regulation has consequences. This is one of the consequences...
Our EU friends really enjoy having all the regs on everything... but then demand to be treated as-if the regs don't exist. It's amazing to see...
Microsoft is stuck because anything they'd do would reduce the "freedom" of end users.
I work in big tech, and unfortunately we frequently need to have conversations about the smallest features because we have evidence about us giving users an inch and they taking a mile.
The EU prays for a MSexit from the EU. The efficiency gains by that would be enormous. If we could just get also a SAPexit, Europe would become unbeatable.
From what I can tell, Microsoft signed DigiCert's certificate, and DigiCert signed CrowdStrike's certificate, and CrowdStrike signed the driver file.
Windows kernel signing does not work like Apple's Big Brother approach, it uses a set of certificate authorities.
Microsoft does have a program for verifying drivers: WHQL, which you may recognise from the slower driver that Windows Update installs for your GPU before you download the faster one that didn't pass Microsoft's verification from the manufacturer's website. CrowdStrike doesn't seem to be WHQL-certified.
Readit News
I suggest Microsoft follows Britain's example and leaves. The main difference is that we Europeans actually miss the Brits, whereas nobody would miss Microsoft and its shoddy products and business practices.
On a more serious note, I fully understand that the Digital Markets Act is causing Microsoft headaches. But I think this headache is well deserved. Big Tech has been building moats where they should have built bridges, and now our computing landscape resembles medieval Germany where everything was at the mercy of a few feudal lords. It is time to drive out those lords and reshape software in a way that empowers, not enslaves.
Deleted Comment
Dead Comment
Or, an alternative interpretation: Microsoft had 15 years to fix any issues.
However, doing so is no easy feat. The first version of eBPF was released over 10 years ago.
[1] https://github.com/microsoft/ebpf-for-windows
They are not saying the EU is the root cause of the failure, just that they cannot close the hole currently due to the EU.
What they leave out is that they could choose to integrate Defender into the OS for free, thereby removing it as a product to compete against. They could also move Defender to not require kernel hooks either. Neither are options they want to consider currently.
No comment about being able to move Defender to not require kernel hooks (I don't know).
Two reasons:
1 - Few people understand anything about how their computer (/car/stove/phone/medicine/...) works -- they spend their time on other things.
Without any model of how their device works its easy to misassign responsibility (see how many people think that Safari is Google or vice versa). So it's in MS's interest to try to get the message out. Of course people do this when they are at fault as well.
2 - EU is in a wave of beating up* on certain large companies. This can also be an opportunistic way to push back.
* I am not implying whether I think the EU is correct or not.
If MS had blocked these type of things people would be in here complaining about antitrust and MS is evil.
While the hate is valid in many cases, I've observed that the cribbing about it has also been unwarranted or unjustified a lot of the time (also no other corp is held to the same standard) - and this is a prime example.
MS cannot legally restrict third party kernel. Apple can, bc they didn't get struck down like MS did.
MS has an option to not bundle Defender with their OS, which would let them lock the kernel to avoid the anti-trust restrictions, but that would be an insane decision to make.
Damned if they do, Damned if they don't indeed
Our EU friends really enjoy having all the regs on everything... but then demand to be treated as-if the regs don't exist. It's amazing to see...
I work in big tech, and unfortunately we frequently need to have conversations about the smallest features because we have evidence about us giving users an inch and they taking a mile.
Windows kernel signing does not work like Apple's Big Brother approach, it uses a set of certificate authorities.
Microsoft does have a program for verifying drivers: WHQL, which you may recognise from the slower driver that Windows Update installs for your GPU before you download the faster one that didn't pass Microsoft's verification from the manufacturer's website. CrowdStrike doesn't seem to be WHQL-certified.
https://news.ycombinator.com/item?id=41038520
https://news.ycombinator.com/item?id=41029590