Are We Too Dependent on Microsoft?

Apple @lemmy.world

28 10

71 comments

Short answer: yes
Long answer: yeeeeeeeeees
- Detailed answer: Yankee Echo Sierra
  Repetitive answer:
  undefined
  
  yes
  
  Answering the question with a counter question
  undefined
  
  Why do we ask a question whilst already knowing its answer?
  
  I like this one

My household is a Microsoft free environment. There is no place for the royal we in this conversation.
- I can almost say the say thing, but I actually have a small Windows laptop dedicated to some software used for reprogramming the computer in my truck. I've never tried to run it under wine, so I might not need the laptop, but I very rarely use it anyway. Everything else in the house, from our android phones and tablets, to the entertainment system running from a raspberry pi, up to our laptops, desktops, and my stack of servers all run linux exclusively. Funny how they all run smoothly for years at a time.
  
  Honestly, if your programming your ECU or something. I wouldn't risk potentially bricking your car. It is a tool after all, something like how I prefer mikita over Milwaukee but I'll use it to get the job done if needed.
  Edit: ECU software can be a little finicky. Jayztwocents built a PC for his mechanic friend and the application refused to start because it wasn't an Intel CPU.
- If it is a royal we, then you are excluded from the conversation and the amount of Microsoft in your household is irrelevant.
  
  I thought it was funny,

No. If everyone were on Linux and there was a breaking change introduced by a third-party there would be similar problems.
The problem is that critical infrastructure isn't treated like critical infrastructure. If something you rely on can go down due to a single point of failure, maybe don't fucking use it?! Have backups, have systems that can replace those systems, have contingency! Slapping Windows on to a small machine and running some shitty Chromium app to work as a cash register is a fucking stupid idea when you consider that it is responsible for your whole income.
The problem was never Windows. It was companies that were too cheap to have contingency, because an event like this was considered extraordinary and not worth investing in.
- Nope, that's not how it works on Linux, even if someone introduced the most heinous breaking change people would just not update until things were fixed, in fact the update is unlikely to do that because things are tested before being pushed. If someone were using latest of everything by having something like a Gentoo system with everything building from git maybe that person would be affected and he would have to rollback to an earlier version and keep going for a total downtime of 1h tops, and that is if someone was using the most stupid way possible in production.
  The main reason why this will NEVER happen to a server running Linux is that updates are not automatic, i.e. they get triggered manually, so if there's an issue upstream you don't update, and if you encounter you rollback. The issue is not that Windows had a broken update, that can happen and it's fine, the issue is when the OS forcefully installs that update and breaks your system without you doing anything.
  And yeah, I know what I'm talking about, I worked as a software architect for a large website for a few years and now I work as a software engineer for the servers of one of the largest online games.
  Edit: re-reading your post, I would like to ask you how would you build this critical infrastructure with Windows? Because independently of how you answer it you would have been affected by this.
  
  Windows updates don't happen automatically in an Enterprise environment. They are tested and pushed out once the version is determined to be stable.
  
  That is a wild assumption with two key flaws
  Windows in many workplaces has updates locked down too, except in circumstances where critical security or vulnerability patches are pushed through.
  The same is true for many servers that run Linux.
  As someone that works on tier1 services for arguably the biggest tech company right now, that's how it works in most of FAANG. Updates are gated, sure, but like with many things there's a vetting process where some things that look super important and safe just slip through.
  In regards to your edit, I guess most cases are different from others, but if your entire business requires you to be able to use a machine 100% of the time then you should have the means to either use a different machine to continue transactions (ideally one with a known state that won't change, or has been tested in the last few months). If you need to log transactions and process 24-48 hours later do that on something that's locked down hard, with printed/hard backups if necessary.
  Ultimately, risk is always something you factor in. If you don't care about 48 hours of downtime over several years, it's not a huge concern. I'd probably argue that many companies lost more money during these days than they would have spent in both money and people-hours training them on a contingency system to use in case of downtime.
  
  the issue is when the OS forcefully installs that update and breaks your system without you doing anything.
  The crowdstrike update was pushed out by their own software I thought, not the windows update system?
  Plus crowdstrike has caused similar issues with Linux systems before, so the solution is to just not use crowdstrike and similar solutions on any OS.
  The issue is not that Windows had a broken update, that can happen and it’s fine, the issue is when the OS forcefully installs that update and breaks your system without you doing anything.
  I would have thought most businesses with windows would do staged rollouts.
- I mean this is sort of like what the new NIS2 Regulations tries to achieve. Make critical infrastructure producers and maintainers aware and force them to treat their infrastructure accordingly.

It's nice that major news outlets are saying what we nerds have been screaming for the past two decades. Microsoft only shares a small portion of the blame for the recent outage (they could have built their OS better so software vendors don't feel the need to use kernel modules, but the rest is on CrowdStrike) but we are too depenent on them.
- Not to change the subject, but your italicized "are" made me realize that Lemmy uses a different font for italic content (see the letter A). There's another message down below deleted by creator which has the same style. I know, it's a weird thing to notice, but there was a blog I saw this week mentioning that scammers are using websites with a (I think?) Cyrillic 'a' that looks just like the italic one here to fool people into thinking they're visiting a legitimate site, so that little discrepancy stood out to me today. At least now I know I'm paying attention! 😆
  
  Interesting. I'm not sure that's a Lemmy thing per se, maybe specific to your client, or some extension or something altering CSS?
  I just checked in my browser's inspector, and the italicized text's
  <em>
  tag has the same calculated font setting as the main comment's
  <div>
  tag.
  FWIW, I'm using Firefox with my instance's default Lemmy web UI.

Imho. We are too laissez faire about our dependence on computers.
Currently doing disaster planning for compliance. What I really want to put in the docs is “If power or internet goes down we are just fucked. No planning needed. “
- I mean disaster planning is about finding ways to mitigate things like power or internet going down to minimize or eliminate their impact. That said, accepting the risk of downtime because alternatives are too expensive is a perfectly valid decision as long as it's an intentional one.
  
  It depends on the industry. Some industries have very critical systems that can't go down period.
- The more nines you add the more exponential growth you see in cost. This is because you end with lots of idling hardware.
- Too cheap to buy UPS, generators and redundant fiber or something?
  
  We are a small medical practice. It would cost approx $15k in batteries to give us about 3 operating hours. Not economically viable.
  But do you think something like an airport would have enough diesel capacity to contiune operating in a power out?
- What would you suggest to solve this?
  
  Much, much more care should have being taken by all parties.
  Microsoft should not have given kernel access to crowdstrike. Crowdstrike should not have being able to push a killing update.
  Edit: Hindsight is 20 20
- Also currently trying to get NIS2/27001 compliant before the October deadline hits? ^^

Yes.
Entire companies and (worse) government depending on a single vendor knows for it's 30 year long history of attitudes like "we before our customers" and "well tell you anything to sell you, but well barely do the basics on our products" and"we'll make sure we're compatible with nothing, going as far as sabotage, so you can't escape our greedy claws" is a very bad idea (tm). Forcing customers and citizens to use that crap is even worse.
With Linux ( and the open source world) you have an open System that has been independently verified by millions, you have actually inter system compatibility oozing out of the wazoo. You have vendors selling software that you can actually rely on.
- Even with Linux though, so much of it relies on Github (think Nix Flakes, the AUR, and just general random apps that live there etc.) which is owned by MS. Not that they would necessarily just nuke Github one day (because that would be an insane thing to do) but just the general idea that MS is in a position to disrupt so much of the Linux ecosystem if they really wanted to makes me uneasy.
  
  I love nix but it's my main gripe with nixos. They really should switch to an alternative service.
  
  Fully agree there, Linux should not be hosted on a service manageby Microsoft, if even just for the principle of it.

Wouldn’t it be wild if all government work was located in Microsoft’s M365 services? Like imagine all government data living on a SharePoint site on an E5 M365 tenant. Like if every single citizen processing service was a PowerApps application? Imagine what would happen if Microsoft had an outage or a hack?
How easy would it be for a foreign adversary to take out a country by only focusing its attacks on a single company? Gosh what a hellscape that would be.

Yea.

The only answer: y e s

Yes we need variety. Imagine if all cars were from the same brand ..
- Nervous sweating from the Audi-Bentley-Ducati-Lamborghini-Seat-Skoda-Volkswagen-Porsche-Conglomerate known as "Volkswagen AG"
  
  They are still different brands with different features and price points. The fact that a faulty part was detected on Bentley doesn't 100% mean a Seat will have the same issues

I don't like the implied false dichotomy between opening up the kernel and better security. You can definitely have both. Otherwise it's a good report.
- Well Microsoft signed off on Crowdstrike...

"We", no. "Too many", yes. In general, hard dependencies on proprietary software or services are often overlooked or ignored as potential future problems. Recent examples of this are Microsoft and VMware. Once the vendor changes things so that you don't like anymore, or drives up prices like crazy, you'll quickly realize that you have a problem you can't solve other than switching, which you might not even be prepared to do short-term.
The Windows world now experiences this because Microsoft is no longer interested in maintaining a somewhat quality operating system, they are mostly interested in milking their user base for data, and don't hesitate to annoy or even disrupt their user base's workflows in a try to achieve that goal.
Many Windows users are currently looking at Linux because of this, but the more your whole workflow is based on dependencies to proprietary Windows-only software, the harder your time to switch will be. If you still use Windows today, you should at least start using more open source or cross platform software, which also will work on Linux, because you are on a sinking ship and there will probably be a time when you can't take MS' BS anymore and want to switch. Make it easier for you in the future by regarding Linux compatibility in the hard- and software you use today.
- I think VMware is actually a good example of in house control. If AWS raised prices everyone would be (and is) trapped. With VMware there are tools that make migration easy.

I think the issue has more to do with the "cloud"
- YES.
  And not just the cloud, but internet connectivity and automatic updates on local machines, too. There are basically a hundred "arbitrary code execution" mechanisms built into every production machine.
  If it doesn't truly need to be online, it probably shouldn't be. Figure out another way to install security patches. If it's offline, you won't need to worry about them half as much anyway.

Well, as long as you have prepared a backup system then you should be fine. Like dual booting into Linux

I deal with whole I.T support companies built on the Microsoft partnership platform. All their dev is c#, servers are windows, no concept of other os when it comes to support. It's a real basket of ms eggs situation.

undefined

while True: print("yes")
Cant use tab as I'm on a phone
- yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes
  yes