Endpoint sovereignty: Why the CrowdStrike outage is just the beginning.

This blog post offers an insight into the July 2024 network outage as an issue of property and responsibility.

Do you own any things?

Even if you're nomadic, wandering from place to place, you've probably a bag of clothes. The possibility of legal possession and control over property is a foundation of capitalist socio-economic culture which Adam Smith believed any state has a fundamental duty to guard. What does it mean to own something? For most of us ownership just means something we can rely on to be there. We expect a bunch of things about ownership;

• exclusivity means we don't have to contend for use
• other people can't take or alter our things
• harms against our property is outlawed
• we can buy, sell and exchange property

And there is something else that people think less of these days which is;

• responsibility to ensure our property causes no harm
• maintenance, upkeep and defence of property

However we think about property and ownership it speaks to deep, emotional, fundamental rights and expectations. But when it comes to our computers we have a few problems.

The 1980s and 1990s were the golden age of the personal computer revolution. The idea that computers could belong to ordinary people and be used for their own ends and betterment was as much a tectonic social shift as the Internet.

But today some people don't own their gadgets. We're not talking about those who rent, or are issued 'work' devices, but those who literally take no interest in the objects that mediate much of their lives. Another legal term around ownership is interest. To have an in interest in something is to maintain a stake. Give up your interest and someone else will step in to direct your life and affairs.

"If people cannot write well, they cannot think well, and if they cannot think well, others will do their thinking for them." – Orwell

Some of us have very ambivalent relations with our gadgets. People snap from cradling their phone adoringly to beating and yelling at it in a moment. Gadgets sometimes feel like intruders and interlopers, and at other times like saviours when we crave contact and information. This is much the same relation an infant has with it's mother's breast. It rages at the unpredictabile availability of what it cannot understand.

Though our gadgets are very important bits of property, we take them for granted. This casual disregard has been called Affluenza ¹. On average, every 18 months each we throw away a perfectly good computer - with massive impact on the environment - to 'upgrade'. For gadgets we have a low attachment but a high dependency. Only when people lose their phones do they panic and fully realise what it means to be without the device. Consequently, we sometimes quite forget that our computers are our own and fail to exercise our rights and duties over them.

Wealthy folks with giant castles can afford guards. Their minions patrol the perimeter and grounds chasing off invaders. But the guards have strict instructions. They are most definitely not allowed to rummage through the office drawers, or make themselves comfortable in the bedroom. And for those working people who hire nannies or cleaners, they also set very strict limits on what they can do on the property.

A different problem is that people do not understand computers. As we live today, when we don't understand something we are happy to let expert tradesmen deal with it. Plumbers can fix pipes, and electricians can fix wires, but we still own our house. Letting the plumber repair the bath does not entitle the plumber to move in and start using the bathroom. So we trust that the plumber will do a good job, and then leave. Would you allow random strangers to move in to your house, and allow them to live in your house while you pay them to "protect" your stuff?

Some people are so clueless about computers, yet at the same time worried about being hacked, that they hire professional hackers to be inside their computer to protect it. This is called "endpoint managed security".

It is a liability. Microsoft Windows is an appallingly badly written piece of software. It is riddled with security holes and pretty much always has been. Unfortunately it's one of the most popular operating systems for ordinary computers used by people who do not care much about computer security.

In 2024 it's easy to see how Microsoft built an empire selling a substandard product cheap and aggressively to capture the market - perhaps with the intention of "fixing it all, one day". That fix never came and today Windows is mired in technical debt and remains notorious as a source of rotten cybersecurity. While - as Leonard Cohen would put it - "everybody knows" that Windows is cheap, nasty and insecure, and the majority of folk behave as Russians talk about cheap vodka - it gets the job done if you have enough to forget.

Into that opportunity rushed dozens of "security vendors" who sell add-on products to make Windows secure. They almost universally fail because you cannot really add-on security to a broken system. As they say; you can't make a silk purse out of a pig's ear. Indeed many cybersecurity experts will tell you that adding more security products to a broken system makes it worse. It increases the attack surface. Now you have a broken operating system and a dozen flaky security products, each with their own vulnerabilities to contend with. This year the US administration banned the Kaspersky anti-virus product. Weeks later it was a US American product that brought the world to its knees for a day.

Since the 1990s, Windows owners exasperated with poor security started to buy add-on anti-virus software, intrusion detection systems, remote monitoring, host level filtering and much more from third parties. There is a massive security industry feasting on the Microsoft carcass. Serious operating systems like Berkeley Software Distribution Unix (BSD) or SE Linux do not need these extra protections.

But this sort of software is even worse than the crappy operating system it tries to hide. It lives on the owners computer and connects constantly to the vendor's computers. Those companies then have full control over the customer's device - a job they themselves have given up responsibility for and expect will become "someone elses' problem".

But giving up control is giving up ownership. Handing over the keys to your kingdom is really saying, take-it! When we install these products we say, "Please take away control of all my data, personal affairs, privacy, photos, bank-details, contact lists and location data - because I basically don't care about it enough to assume responsibility. We imagine that, like plumbing services, security can be bought as a product. Buying security as a service from privateers is more commonly known as a "protection racket".

People trust third party Managed Security Products (MSP) to take over their affairs. In the most extreme case they buy "Endpoint Management" which totally takes over their computer. This is the technical equivalent of granting power of attorney over your legal affairs. MSP endpoint software gets into the into the most intimate and sensitive parts of the computer - called the kernel - as if into the office drawers and bedrooms of the house.

That's a very big emerging societal problem that legal scholars, every business, and every individual who handles private data needs to be aware of today in the wake of the July 2024 outage.

CrowdStrike is a US cybersecurity company that makes endpoint management software. It is the company responsible for the July 2024 global network outage. It is no irony that companies who supply security services can be directly responsible for breaches, because they are given very serious responsibilities which they may neglect or discharge incompetently. Though tasked to protect digital property their failure to maintain digital weapons lead to friendly casualties.

On 19 July 2024, CrowdStrike distributed a faulty update to its Falcon software that allegedly caused eight million computers running Microsoft Windows to crash and fail to restart. It is estimated to have caused ten billion US dollars of harm, and to possibly have caused many deaths and injuries due to failed emergency services.

CrowdStrike were negligent in their quality processes, according to whistle-blowers who soon emerged. Their business model was described by a team member as "We push software to your machines any time whether or not it's urgent, without testing it".

Let's shift focus now from CrowdStrike, and indeed Microsoft to look at the bigger picture.

If you leave guards in charge of your castle, and they get drunk and lose the keys or decide to take over the castle. you may come back to a castle you're locked out of. MSP vendors open up the path to a serious a breech of ownership.

As Agent Smith says in The Matrix;

"I say your civilisation because as soon as we started thinking for you it really became our civilisation which is of course what this is all about."

Ownership brings responsibility, which is something many of us shy from these days. Just making a living seems a burden enough, and the world is so complex - so why care? Computers were once something that people recognised as potentially dangerous enough to require a "licence" to operate. Today we give them to 6 year-olds. And yet the retort of those who sell managed security products is "people are too stupid to manage their own computer security".

This makes the overtures of a new breed of Consumer Communist very attractive. It is the philosophy of guilt-free abdication of responsibility in the face of a supposed benign Utopian regime of care. We want the benefits without the necessary intellectual work. In the words of the "World Economic Forum" (WEF), and essayist Ida Auken, it says "You'll own nothing and you'll be happy".

That is another way to say "You will control nothing". As for happy, like under the USSR, you'll have no choice but to at least pretend you are.

Behind this language is a bid to take control from you. Giving up control over your own computer or phone is fast-track to owning nothing. It's a spectacularly bad idea because your computer is more than physical hardware, or just an operating system and a collection of "apps". It's a digital space with which you mix creative labour, run your business, invest time and maintenance. It's a place and thing over which you exercise exclusive rights of use and require for daily work.

In reality the July 19 incident was mild. Only 8 million computers is a small impact compared to likely future events. It's an important taste of what is on the menu in future. Unless governments move to harshly regulate the big actors in the computer security field then, like earthquakes and storms, are people going to have to get used to the massive economic and lifestyle damage of intermittent "Digital Weather"? This is how the mainstream press have so far presented the July 19 outage, as if it were beyond human control. In my opinion, by presenting that attitude and thus encouraging people to see technology failure as inevitable they are guilty of normalising harms and they are complicit in excusing a multi-billion dollar "insecurity industry".

There are many non-intuitive problems with an MSP philosophy. Uniformity of managed security creates a diversity (monoculture) problem which makes failure not only more likely, but more catastrophic when it does fail.

There are principal agent problems that make MSPs in a position of digital privilege extremely likely to defect, in either quality of service, or betraying end user's interests.

Our position is that all such managed endpoint security is a bad idea because it erodes fundamental digital sovereignty. Perhaps it ought to be outlawed. Perhaps new laws are required to make people who buy into such schemes aware of the risks they face and responsibilities they are shrugging. Perhaps new laws are needed to make us liable for the harms we wreak when the security we delegate to unfit providers - including operating systems vendors like Microsoft - fails? These might serve to discourage irresponsible outsourcing to unfit security products without proper diligence.

We may also see the MSP ideology as an outgrowth of "cloud computing". Cloud is best described as "Your stuff on someone else's computer". MSP is "Your security in someone else's hands".

It raises serious trust and security issues that have not been addressed politically and although "easy and expedient" the economic benefits are seldom weighed against its significant risks. Cloud has brought a slow encroachment of ownership in computing. Cloud can be seen as a stage on the path to also taking over endpoints, controlling the computers people own, but taking digital privilege without responsibility.

A better model is to help people take back tech. Instead of encouraging lazy attitudes to our technology we should look to;

• education, starting in schools, for people to manage their own digital lives
• better standards, compulsory disclosure, so that people know what they are buying
• stigma or disincentive attached to lack of care around computing devices
• government regulation, warnings and advice about "endpoint security" not directly managed by the user.

This is an interesting area because its where politics and tech really fail to work. Kaspersky, for all the faults that MSP software has, is not a bad product as far as we know, but was sanctioned out of political caution. Meanwhile US companies with egregious, repeated offences against security are given a hall-pass and allowed to offer pathetic excuses.

For example; Given that Microsoft had too much power over customers' computers the European Commission imagined they could "level the playing field" and create interoperability by insisting third-party security apps get the same level of access to Windows kernel that Microsoft gets… a dangerous level. In effect they said to Microsoft "you must allow the same type of reckless, abusive programming by third parties on Windows platforms, as you yourselves enjoy."

After dragging everyone down into the gutter of awful software engineering Microsoft practice - reaching what I think is a new moral low-point for themselves and the tech industry in general - Microsoft then blamed the Commission for the CrowdStrike affair, effectively saying; "Now look what you made us do!"

Do you trust your digital life to these squabbling schoolboys? You could spend a fraction of what people give to an MSP to learn some cybersecurity and manage it all yourself. Keep control, ownership and self-respect over your digital systems and stop trusting your critical systems to unregulated protection rackets.